db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Matrigali (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6764) analyze impact of poodle security alert on Derby client - server ssl support
Date Thu, 16 Oct 2014 23:37:34 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14174464#comment-14174464
] 

Mike Matrigali commented on DERBY-6764:
---------------------------------------

To start I don't have a lot expertise in security part of Derby, so welcome others to set
me straight,
but here is what I think so far:

after some web research and derby code research it looks to me like derby when configured
to use ssl
just picks the "default" ssl.  I think this means it follows the standard handshake which
something like:
Client hello - The client sends the server information including the highest version of SSL
it supports and a list of the cipher suites it supports. (TLS 1.0 is indicated as SSL 3.1.)
The cipher suite information includes cryptographic algorithms and key sizes.
Server hello - The server chooses the highest version of SSL and the best cipher suite that
both the client and server support and sends this information to the client.

So whether derby is affected is dependent solely the JVM versions and JVM settings rather
than anything set
in Derby.  

For ibm jvms if you are running with no special flags, and running at or above ibm16 you should
not be affected.
At least in the ibm jvm's there are various optional flags that can be used to set specific
ssl versions, so you 
can be affected if you are using those flags to specifically choose older versions of ssl.
 Also note in ibm16 there
were changes to ssl in release fix packs, and these comments apply to the latest version of
the ibm 16 release
which has tls 1.0.

I have not looked at oracle jvm flags.

I

> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6764
>                 URL: https://issues.apache.org/jira/browse/DERBY-6764
>             Project: Derby
>          Issue Type: Task
>            Reporter: Myrna van Lunteren
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g. to eliminate
support for SSL in favor of its successor TLS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message