Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Enable SSLv3 in 9.2.10.v20150310

On Tue, Apr 14, 2015 at 6:52 PM, Mark Mielke <mark.mielke@xxxxxxxxx> wrote:
Not to recommend the use of SSLv3 by any means, but just to point out that there is a single case (of many) where I was forced to make a software change to migrate to SSLv3, and if making a software change is not feasible for some business reason, this would make it necessary to retain Jetty support for SSLv3 for such a person.

My single case was... I hope I get this right...

Use of Jetty 9.2.x latest as a server, to a Java 6 client on Solaris 8. Java 7 is not available for Solaris 8. Solaris 8 is end-of-life, but the company I work for still has support contracts that stipulate that that the product will still still have support under Solaris 8. Java 6 on Solaris defaults to the SSLv3 Hello, and when I upgraded to Jetty 9.2.x latest from something like Jetty 9.2.1, everything worked fine except for the loadbuild machines support Solaris 8. Jetty 9 is being used as part of a web services frame work that is integrated with the loadbuild process.

First, I backed out the server upgrade to a Jetty version that didn't block SSLv3. This bought breathing room. Then, I researched and figure this all out. I updated the client to a newer version of Apache HttpClient that *also* blocked SSLv3, which caused the client to use TLSv1 Hello by default, which then allowed me to update the server to latest Jetty 9.2.x.

Unless I'm reading this wrong, it looks like the Java folks just fixed this issue in Java 7u80:

"JDK-8052406 : SSLv2Hello protocol may be filtered out unexpectedly"

My issue might have been SSLv2Hello... I didn't dig into *exactly* what the sequence was. I just understood it was something earlier than TLS 1.0...

A bit late unfortunately... :-)

Mark Mielke <mark.mielke@xxxxxxxxx>

Back to the top