directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol
Date Fri, 14 Nov 2014 10:04:08 GMT
Le 14/11/14 10:55, shushant.kakkar@lhsystems.com a écrit :
> Hi,
>
> Well we use Java 1.7.0_71.
>
> The Security Advisory states “However, even if a client and server both support a version
of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement
a protocol downgrade dance to work around serverside interoperability bugs.”
>
> The recommendation is to disable SSLv3 either on client or serverside to completely avoid
an attack. We would like to do that on our serverside.

It *is* already disabled, as we enfore the use of TLS.

I already said that two times. Asking a third time will not bring you
any more comfort.

At this point, I would suggest you check the code by yourself, and if
you find some place where you think that SSL v3 can still be used, then
fill a JIRA, and we will be very pleased to apply a patch in trunk. Also
keep in mind that ApacheDS 1.0 is not anymore maintained, so I strongly
suggest you either switch to ApacheDS 2.0, or you are totally on your own.

Mime
View raw message