Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-2034

Disable SSLv3 (POODLEbleed vulnerability)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 4.0.1
    • 4.1.0
    • security
    • None

    Description

      We should disable SSLv3 to protect against the POODLEbleed vulnerability.
      See CVE-2014-3566

      We have sslProtocol="TLS" set to only allow TLS in ssl-server.xml, but when I checked, I could still connect with SSLv3. From what I can tell, there's some ambiguity in the tomcat configs between sslProtocol, sslProtocols, and sslEnabledProtocols so we probably have the wrong thing here.

      Attachments

        1. OOZIE-2034-amendment.patch
          0.6 kB
          Robert Kanter
        2. OOZIE-2034.patch
          0.6 kB
          Robert Kanter
        3. OOZIE-2034.patch
          0.6 kB
          Robert Kanter

        Issue Links

          is related to

          Sub-task - The sub-task of the issue OOZIE-2037 Add TLSv1.1,TLSv1.2

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              rkanter Robert Kanter
              rkanter Robert Kanter
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: