Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] Can't enable SSLv3


first you do not mean SSLv3 Hello. Hello mean the even older SSLv2_Hello.
This is called hello because the client does not support SSLv2 but support V2
Handshake Syntax.
The next point is even java 6 can be configured to use only TLSv1.
TLSv1 is not an state of the art technology like TLSv1.2 with AEAD cipher suites.
This protocol is from 1999 for security this is really old.

I am not sure what cipher suites you are using but from my point i would say if the company
use an cipher technology that is 16 years outdated they can as well use plain text.

"All change must be managed gracefully. "

Who long is gracefully in your mind ? If we are talking about security issues.
- Days (required with CVE category 10 like Heartbleed)
- Weeks (normally acceptalbe for patches)
- Months
- Years

What happend since beginning of SSLv3
- RC4 broken
- MD5 broken
- SHA1 broken
- CBC broken
- Padding broken (V3 have no requirements)
- 3DES broken (1/n-1 split)
- Heartblead
- Poodle
- Export Suites broken
- export suites, rc4 and other are already forbidden in TLSv1.2 some even in TLSv1.1

So an really clear point: "PRODUKTION + SSLv3 is an absolut NO-GO"

Gruß Thomas

Back to the top