[QFJ-818] SSL3 “POODLE” Vulnerability impact QuickFIXJ (bundle Apache MINA) ? Created: 03/Nov/14  Updated: 22/Dec/15  Resolved: 22/Dec/15

Status: Closed
Project: QuickFIX/J
Component/s: Networking
Affects Version/s: 1.5.3
Fix Version/s: None

Type: Other Priority: Critical
Reporter: surachai chatsomsiri Assignee: Unassigned
Resolution: Incomplete Votes: 0
Labels: QuickfixJ, ssl
Environment:

quickfixj-all-1.5.3.jar
mina-core-1.1.7.jar
mina-filter-ssl-1.1.7.jar
JRE 6.0.2


 Description   

Hi Support.
I am developer implemented QuickFIXJ(Client side) got feed from QuickFIXJ(Feed Server side), It using SSL protocol, for my understand QuickFIXJ using Apache MINA for establish SSL protocol.

According to the links below, seems that any SSL v3 got impact from the POODLE vulnerability..
the "Poodle" vulnerability, released on October 14th, 2014, is an attack on the SSL 3.0 protocol. It is aprotocol flaw,
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability

Could you help me provide information please?
1. What's SSL protocol version using in Apache MINA? <= I try to find information unfortunate i not found it.

2. The “POODLE” Vulnerability will impact with QuickFIXJ (using Apache MINA) if Yes, Can you provide solution to prevent it?

Thank you very much
Surachai C.

 Comments   
Comment by Christoph John [ 03/Nov/14 ]

According to this link http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html you could try passing the https.protocols="TLSv1" property to your app. MINA should pick that up since it uses the SSLEngine from the JDK under the hood.

There is also the possibility to specify the QFJ configuration EnabledProtocols with a list of supported protocols. But I have not tested that yet.

Could you please test that and tell if it worked?
Thanks

Generated at Sun May 05 21:09:20 UTC 2024 using JIRA 7.5.2#75007-sha1:9f5725bb824792b3230a5d8716f0c13e296a3cae.