db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bryan Pendleton (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6764) analyze impact of poodle security alert on Derby client - server ssl support
Date Thu, 23 Oct 2014 13:51:34 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14181342#comment-14181342
] 

Bryan Pendleton commented on DERBY-6764:
----------------------------------------

It seems like our software is at the mercy of the underlying JDK's protocol negotiation.

Stated positively, we always use the best crypto that the underlying JDK will allow,
which seems like a good thing, and about the best we can do.

Perhaps we could have a bit of code which detected when the underlying JDK had
selected a crypto level which was less than the best possible (presumably due to
a client/server partner's JDK level which was lower than ours), and issue some
sort of trace or warning message noting that the partner software's JDK level had
forced us to operate at a lower level of crypto security.


> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6764
>                 URL: https://issues.apache.org/jira/browse/DERBY-6764
>             Project: Derby
>          Issue Type: Task
>            Reporter: Myrna van Lunteren
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g. to eliminate
support for SSL in favor of its successor TLS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message