Nevermind, I wasn't reading the test results right. I can fix it. I'll post a patch up soon. Please ignore this email :)
On Thu, Oct 16, 2014 at 3:47 PM, Robert Kanter <[email protected]> wrote: > Hi all, > > I had created OOZIE-2034 > <https://issues.apache.org/jira/browse/OOZIE-2034> to address the > POODLEbleed vulnerability that was recently announced. The fix is to > disable SSLv3 and only allow TLS. > > The documentation on how to do this in Tomcat 6 isn't super clear, and > I've seen a few different ways to do this on the internet. Anyway, none of > them seem to work. Some places have suggested that it's just broken in > Tomcat 6. So, it looks like we may need to upgrade Tomcat to fix this... > > How should we handle this? > 1) Should we try to get this done for the 4.1 release? > 2) Anyone have other ideas on how to fix this in Tomcat 6? I've tried all > kind of combinations and variations on "sslProtocol", "sslProtocols", > "protocols", "sslEnabledProtocols", etc to no avail > 3) If we upgrade Tomcat, should we go to 7 or 8? > - This would also require a lot of testing and possible other > changes. Simply upgrading from 6.0.37 to 6.0.41 caused a bunch of tricky > problems. > 4) We could try waiting and hoping that they release an update to Tomcat 6 > to fix this problem, but I haven't seen anything about a pending update. > > > - Robert >
