Robert Kanter created OOZIE-2034:
------------------------------------
Summary: Disable SSLv3 (POODLEbleed vulnerability)
Key: OOZIE-2034
URL: https://issues.apache.org/jira/browse/OOZIE-2034
Project: Oozie
Issue Type: Bug
Components: security
Affects Versions: 4.0.1
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Blocker
Fix For: 4.1.0
We should disable SSLv3 to protect against the POODLEbleed vulnerability.
See
[CVE-2014-3566|https://access.redhat.com/security/cve/CVE-2014-3566?sc_cid=70160000000eITIAA2&;]
We have {{sslProtocol="TLS"}} set to only allow TLS in ssl-server.xml, but when
I checked, I could still connect with SSLv3. From what I can tell, there's
some ambiguity in the tomcat configs between {{sslProtocol}}, {{sslProtocols}},
and {{sslEnabledProtocols}} so we probably have the wrong thing here.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
