directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol
Date Thu, 13 Nov 2014 17:03:12 GMT
Le 13/11/14 17:16, shushant.kakkar@lhsystems.com a écrit :
> Hi Pierre,
>
> sorry I missed the previous reply. Thank you for the answer.
>
> Just to recheck, if we did not misunderstand the breach, the main aspect is that SSLv2
and SSLv3 are available although the TLS is used. An attacker could enforce the usage of SSLv2
and SSLv3. So are these two protocols disabled? If yes, which version of Apache DS should
we use? We currently use ApacheDS 1.0.
The question is more : which Java version are you using ?

In any case, an attacker can't downgrade the server's protocol in use.
You have to reconfigure the server to do that. Not likely to happen...


Mime
View raw message