[
https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14216673#comment-14216673
]
Mamta A. Satoor commented on DERBY-6764:
----------------------------------------
Bryan, I have not seen "Plaintext connection attempt from an SSL enabled
client?" during my testing for this jira. I have seen error "No appropriate
protocol" when after removing the SSLv3 protocol, the only protocol left was
TLS but NaiveTrustManager was looking for "SSL" in it's code SSLContext ctx =
SSLContext.getInstance("SSL");. As part of my checkin for this jira, I changed
NaiveTrustManager to look for TLS instead of SSL and that got rid of the "No
appropriate protocol" error.
Like you asked on DERBY-6771, I am wondering too if the user is indeed by
accident trying to make a plaintext connection in case of SSL connection. I do
not think he responded to that question. Looks like though he is going to try
the latest 10.10 or 10.11 jars with SSLv3 protocol removed through the
configuration file to see if the issue is with Derby 10.4
> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
> Key: DERBY-6764
> URL: https://issues.apache.org/jira/browse/DERBY-6764
> Project: Derby
> Issue Type: Task
> Affects Versions: 10.11.1.1, 10.12.0.0
> Reporter: Myrna van Lunteren
> Assignee: Mamta A. Satoor
> Fix For: 10.11.1.3, 10.12.0.0
>
> Attachments: DERBY6764_backport10_11_patch1_diff.txt,
> DERBY6764_patch1_diff.txt, DERBY6764_patch1_stat.txt
>
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability
> (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g.
> to eliminate support for SSL in favor of its successor TLS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
