On Tue, Apr 14, 2015 at 6:52 PM, Mark Mielke <[email protected]> wrote:
> Not to recommend the use of SSLv3 by any means, but just to point out that > there is a single case (of many) where I was forced to make a software > change to migrate to SSLv3, and if making a software change is not feasible > for some business reason, this would make it necessary to retain Jetty > support for SSLv3 for such a person. > > My single case was... I hope I get this right... > > Use of Jetty 9.2.x latest as a server, to a Java 6 client on Solaris 8. > Java 7 is not available for Solaris 8. Solaris 8 is end-of-life, but the > company I work for still has support contracts that stipulate that that the > product will still still have support under Solaris 8. Java 6 on Solaris > defaults to the SSLv3 Hello, and when I upgraded to Jetty 9.2.x latest from > something like Jetty 9.2.1, everything worked fine except for the loadbuild > machines support Solaris 8. Jetty 9 is being used as part of a web services > frame work that is integrated with the loadbuild process. > > First, I backed out the server upgrade to a Jetty version that didn't > block SSLv3. This bought breathing room. Then, I researched and figure this > all out. I updated the client to a newer version of Apache HttpClient that > *also* blocked SSLv3, which caused the client to use TLSv1 Hello by > default, which then allowed me to update the server to latest Jetty 9.2.x. > Unless I'm reading this wrong, it looks like the Java folks just fixed this issue in Java 7u80: http://bugs.java.com/view_bug.do?bug_id=8052406 "JDK-8052406 : SSLv2Hello protocol may be filtered out unexpectedly" My issue might have been SSLv2Hello... I didn't dig into *exactly* what the sequence was. I just understood it was something earlier than TLS 1.0... A bit late unfortunately... :-) -- Mark Mielke <[email protected]>
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
