Uploaded image for project: 'Flume'
  1. Flume
  2. FLUME-2547

Removing SSLv2Hello causes Java 6 clients to break

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.6.0, 1.5.2
    • Component/s: None
    • Labels:
      None

      Description

      In Java 6, if the server side does not accept SSLv3, SSLv2Hello is required even if TLS is used. SSLv2Hello itself is not insecure so we should bring it back for compat with older Java versions

        Activity

        Hide
        jarcec Jarek Jarcec Cecho added a comment -

        Resolving as both subtasks are done.

        Show
        jarcec Jarek Jarcec Cecho added a comment - Resolving as both subtasks are done.
        Hide
        water Xiang Li added a comment - - edited

        Hi Hari, you mentioned "Java 6" in the description. Is this issue only in Java 6 ? If I am using Java 7 and Flume 1.5.0.1, do I need to upgrade 1.5.2, so as to get SSLv2Hello back ? Thanks !

        Show
        water Xiang Li added a comment - - edited Hi Hari, you mentioned "Java 6" in the description. Is this issue only in Java 6 ? If I am using Java 7 and Flume 1.5.0.1, do I need to upgrade 1.5.2, so as to get SSLv2Hello back ? Thanks !
        Hide
        hshreedharan Hari Shreedharan added a comment -

        Unless you upgraded to 1.5.1, this should not be an issue at all. You should upgrade to 1.5.2 for the security fixes.

        Show
        hshreedharan Hari Shreedharan added a comment - Unless you upgraded to 1.5.1, this should not be an issue at all. You should upgrade to 1.5.2 for the security fixes.
        Hide
        water Xiang Li added a comment -

        Hi Hari, I read the JIRA originally for 1.5.1.
        So 1.5.1 excludes SSLv3 and SSLv2Hello as the default, and 1.5.2 brings SSLv2Hello back, right ?
        The reason why bringing SSLv2Hello back, is many SSL clients, notably JDK 6, use SSLv2Hello to handshake with the server ?

        Show
        water Xiang Li added a comment - Hi Hari, I read the JIRA originally for 1.5.1. So 1.5.1 excludes SSLv3 and SSLv2Hello as the default, and 1.5.2 brings SSLv2Hello back, right ? The reason why bringing SSLv2Hello back, is many SSL clients, notably JDK 6, use SSLv2Hello to handshake with the server ?

          People

          • Assignee:
            hshreedharan Hari Shreedharan
            Reporter:
            hshreedharan Hari Shreedharan
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development