[
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14196437#comment-14196437
]
Mamta A. Satoor commented on DERBY-6764:
----------------------------------------
It is possible with some jvms to have both SSLv3 and SSLv2Hello enabled so I
will change the System.arraycopy to not assume that only one protocol was
removed. Instead, it will use the counter removedProtocolsCount which
maintains how many exact protocols were removed. Will commit these changes
soon. Also, I am wondering if there is any regression test we can write for
this jira? I do plan to fix DERBY-6768 today so atleast the list of enabled
protocols on the server side will be in the log file.
> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
> Key: DERBY-6764
> URL: https://issues.apache.org/jira/browse/DERBY-6764
> Project: Derby
> Issue Type: Task
> Affects Versions: 10.12.0.0
> Reporter: Myrna van Lunteren
> Assignee: Mamta A. Satoor
> Fix For: 10.12.0.0
>
> Attachments: DERBY6764_patch1_diff.txt, DERBY6764_patch1_stat.txt
>
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g.
> to eliminate support for SSL in favor of its successor TLS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
