Hi all,
I had created OOZIE-2034 <https://issues.apache.org/jira/browse/OOZIE-2034>
to address the POODLEbleed vulnerability that was recently announced. The
fix is to disable SSLv3 and only allow TLS.
The documentation on how to do this in Tomcat 6 isn't super clear, and I've
seen a few different ways to do this on the internet. Anyway, none of them
seem to work. Some places have suggested that it's just broken in Tomcat
6. So, it looks like we may need to upgrade Tomcat to fix this...
How should we handle this?
1) Should we try to get this done for the 4.1 release?
2) Anyone have other ideas on how to fix this in Tomcat 6? I've tried all
kind of combinations and variations on "sslProtocol", "sslProtocols",
"protocols", "sslEnabledProtocols", etc to no avail
3) If we upgrade Tomcat, should we go to 7 or 8?
- This would also require a lot of testing and possible other
changes. Simply upgrading from 6.0.37 to 6.0.41 caused a bunch of tricky
problems.
4) We could try waiting and hoping that they release an update to Tomcat 6
to fix this problem, but I haven't seen anything about a pending update.
- Robert
