[ 
https://issues.apache.org/jira/browse/PROTON-716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ken Giusti resolved PROTON-716.
-------------------------------
       Resolution: Fixed
    Fix Version/s: 0.8

> Reject SSL clients that attempt to use SSLv3
> --------------------------------------------
>
>                 Key: PROTON-716
>                 URL: https://issues.apache.org/jira/browse/PROTON-716
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-c
>    Affects Versions: 0.8
>            Reporter: Ken Giusti
>            Assignee: Ken Giusti
>             Fix For: 0.8
>
>
> SSLv3 is vulnerable to CVE-2014-3566, and will not fixed.   See:
> https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/
> By default, all clients based on Proton/C will use TLSv1 and are therefore 
> not affected by this CVE.
> However, a server based on Proton/C will allow clients to connect using 
> either TLSv1 or SSLv3, as it allowed for older clients that had not upgraded 
> to SSLv3.
> Since SSLv3 is no longer considered secure, we should prevent Proton/C from 
> accepting v3-based SSL connections.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to