Uploaded image for project: 'Qpid Proton'
  1. Qpid Proton
  2. PROTON-716

Reject SSL clients that attempt to use SSLv3

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • proton-0.8
    • proton-0.8
    • proton-c
    • None

    Description

      SSLv3 is vulnerable to CVE-2014-3566, and will not fixed. See:

      https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/

      By default, all clients based on Proton/C will use TLSv1 and are therefore not affected by this CVE.

      However, a server based on Proton/C will allow clients to connect using either TLSv1 or SSLv3, as it allowed for older clients that had not upgraded to SSLv3.

      Since SSLv3 is no longer considered secure, we should prevent Proton/C from accepting v3-based SSL connections.

      Attachments

        Activity

          People

            kgiusti Ken Giusti
            kgiusti Ken Giusti
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: