Hi,
first you do not mean SSLv3 Hello. Hello mean the even older
SSLv2_Hello.
This is called hello because the client does not support SSLv2 but
support V2
Handshake Syntax.
The next point is even java 6 can be configured to use only TLSv1.
TLSv1 is not an state of the art technology like TLSv1.2 with AEAD
cipher suites.
This protocol is from 1999 for security this is really old.
I am not sure what cipher suites you are using but from my point i
would say if the company
use an cipher technology that is 16 years outdated they can as well
use plain text.
"All change must be managed
gracefully.
"
Who long is gracefully in your mind ? If we are talking about
security issues.
- Days (required with CVE category 10 like Heartbleed)
- Weeks (normally acceptalbe for patches)
- Months
- Years
What happend since beginning of SSLv3
- RC4 broken
- MD5 broken
- SHA1 broken
- CBC broken
- Padding broken (V3 have no requirements)
- 3DES broken (1/n-1 split)
- Heartblead
- Poodle
- Export Suites broken
- export suites, rc4 and other are already forbidden in TLSv1.2 some
even in TLSv1.1
So an really clear point: "PRODUKTION + SSLv3 is an
absolut NO-GO"
Gruß Thomas
|