[jira] [Commented] (OOZIE-2034) Disable SSLv3 (POODLEbleed vulnerability)

Fri, 24 Oct 2014 10:48:06 -0700 

    [ 
https://issues.apache.org/jira/browse/OOZIE-2034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14183110#comment-14183110
 ] 

Robert Kanter commented on OOZIE-2034:
--------------------------------------

Sure:

*Tomcat docs describing {{sslProtocol}} and {{sslEnabledProtocols}}:*
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#Attributes

*JDK docs on possible values for {{sslProtocol}}:*
http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#SSLContext
Note that each value says "may support other versions", but doesn't say what 
they are.  At least for the Oracle JDK, "TLS" includes "SSLv3".
Also note that "TLSv1.1" is an option here, even though it's not actually 
supported.

*JDK docs on possible values for {{sslEnabledProtocols}}:*
http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#jssenames
Note that "TLSv1.1" is an option here, even though it's not actually supported.

*JDK docs on protocol paramters:*
http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
Note that this lists "TLSv1" but not "TLSv1.1"

> Disable SSLv3 (POODLEbleed vulnerability)
> -----------------------------------------
>
>                 Key: OOZIE-2034
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2034
>             Project: Oozie
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 4.0.1
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Blocker
>             Fix For: 4.1.0
>
>         Attachments: OOZIE-2034.patch, OOZIE-2034.patch
>
>
> We should disable SSLv3 to protect against the POODLEbleed vulnerability.
> See 
> [CVE-2014-3566|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566]
> We have {{sslProtocol="TLS"}} set to only allow TLS in ssl-server.xml, but 
> when I checked, I could still connect with SSLv3.  From what I can tell, 
> there's some ambiguity in the tomcat configs between {{sslProtocol}}, 
> {{sslProtocols}}, and {{sslEnabledProtocols}} so we probably have the wrong 
> thing here.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to