[ https://issues.apache.org/jira/browse/OOZIE-2034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14183074#comment-14183074 ]
Mona Chitnis commented on OOZIE-2034: ------------------------------------- starting to look at this now.. > Disable SSLv3 (POODLEbleed vulnerability) > ----------------------------------------- > > Key: OOZIE-2034 > URL: https://issues.apache.org/jira/browse/OOZIE-2034 > Project: Oozie > Issue Type: Bug > Components: security > Affects Versions: 4.0.1 > Reporter: Robert Kanter > Assignee: Robert Kanter > Priority: Blocker > Fix For: 4.1.0 > > Attachments: OOZIE-2034.patch, OOZIE-2034.patch > > > We should disable SSLv3 to protect against the POODLEbleed vulnerability. > See > [CVE-2014-3566|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566] > We have {{sslProtocol="TLS"}} set to only allow TLS in ssl-server.xml, but > when I checked, I could still connect with SSLv3. From what I can tell, > there's some ambiguity in the tomcat configs between {{sslProtocol}}, > {{sslProtocols}}, and {{sslEnabledProtocols}} so we probably have the wrong > thing here. -- This message was sent by Atlassian JIRA (v6.3.4#6332)