db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6764) analyze impact of poodle security alert on Derby client - server ssl support
Date Tue, 04 Nov 2014 23:15:36 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14197090#comment-14197090

Knut Anders Hatlen commented on DERBY-6764:

I'd suggest the following changes to make the code easier to follow, and hopefully easier
to keep free of bugs:

- remove the {{foundProtocolToRemove}} variable, and instead just check {{(removedProtocolsCount
< enabledProtocols.length)}}.
- rename the {{removeTwoProtocols}} and {{removedProtocolsCount}} variables. Their current
names give the impression that they keep track of the protocols that are to be removed, but
they're actually keeping track of the exact opposite (that is, which protocols to keep). Something
like {{supportedProtocols}} and {{supportedProtocolsCount}} would show more clearly what they're
used for.
- or maybe even better: use an {{ArrayList<String>}} to collect the supported protocols,
and call {{toArray()}} on the list to get the array to pass to {{setEnabledProtocols()}}.
Then there's no need to do manual counting of supported/removed protocols or manual array
copying, and less potential for making mistakes.

> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>                 Key: DERBY-6764
>                 URL: https://issues.apache.org/jira/browse/DERBY-6764
>             Project: Derby
>          Issue Type: Task
>    Affects Versions:
>            Reporter: Myrna van Lunteren
>            Assignee: Mamta A. Satoor
>             Fix For:
>         Attachments: DERBY6764_patch1_diff.txt, DERBY6764_patch1_stat.txt
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g. to eliminate
support for SSL in favor of its successor TLS.

This message was sent by Atlassian JIRA

View raw message