[
https://issues.apache.org/jira/browse/PROTON-716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ken Giusti resolved PROTON-716.
-------------------------------
Resolution: Fixed
Fix Version/s: 0.8
> Reject SSL clients that attempt to use SSLv3
> --------------------------------------------
>
> Key: PROTON-716
> URL: https://issues.apache.org/jira/browse/PROTON-716
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-c
> Affects Versions: 0.8
> Reporter: Ken Giusti
> Assignee: Ken Giusti
> Fix For: 0.8
>
>
> SSLv3 is vulnerable to CVE-2014-3566, and will not fixed. See:
> https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/
> By default, all clients based on Proton/C will use TLSv1 and are therefore
> not affected by this CVE.
> However, a server based on Proton/C will allow clients to connect using
> either TLSv1 or SSLv3, as it allowed for older clients that had not upgraded
> to SSLv3.
> Since SSLv3 is no longer considered secure, we should prevent Proton/C from
> accepting v3-based SSL connections.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
