directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <shushant.kak...@lhsystems.com>
Subject AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol
Date Fri, 14 Nov 2014 09:55:52 GMT
Hi,

Well we use Java 1.7.0_71.

The Security Advisory states “However, even if a client and server both support a version
of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement
a protocol downgrade dance to work around serverside interoperability bugs.”

The recommendation is to disable SSLv3 either on client or serverside to completely avoid
an attack. We would like to do that on our serverside.

We use the Apache DS libraries to create our own LDAP service imbedded in our own process.
The usage of Java 7 won’t help us to disable the SSLv3, as the enabled protocols can only
be defined per SSLContext. Thus the question would be whether the SSLContext used by the Apache
DS library already does disable the SSLv3 per default or whether there is a way to inject
any SSLContext which does disable SSLv3?

Best regards,
Shushant

Le 13/11/14 17:16, shushant.kakkar@lhsystems.com a écrit :
> Hi Pierre,
>
> sorry I missed the previous reply. Thank you for the answer.
>
> Just to recheck, if we did not misunderstand the breach, the main aspect is that SSLv2
and SSLv3 are available although the TLS is used. An attacker could enforce the usage of SSLv2
and SSLv3. So are these two protocols disabled? If yes, which version of Apache DS should
we use? We currently use ApacheDS 1.0.
The question is more : which Java version are you using ?

In any case, an attacker can't downgrade the server's protocol in use.
You have to reconfigure the server to do that. Not likely to happen...

Von: KAKKAR, SHUSHANT
Gesendet: Donnerstag, 13. November 2014 17:16
An: 'Pierre Smits'; Apache Directory Developers List
Betreff: AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol

Hi Pierre,

sorry I missed the previous reply. Thank you for the answer.

Just to recheck, if we did not misunderstand the breach, the main aspect is that SSLv2 and
SSLv3 are available although the TLS is used. An attacker could enforce the usage of SSLv2
and SSLv3. So are these two protocols disabled? If yes, which version of Apache DS should
we use? We currently use ApacheDS 1.0.

Best regards,
Shushant

Von: Pierre Smits [mailto:pierre.smits@gmail.com]
Gesendet: Donnerstag, 13. November 2014 16:51
An: Apache Directory Developers List; KAKKAR, SHUSHANT
Betreff: Re: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol

Hi Shushant,

As Emmanuel already stated in his reply on Nov 10th in the user mailing list, the Apache Directory
Server is expected to be vulnerable with respect to the 'POODLE' breach as it doesn't apply
the SSLv2 or SSLv3 protocol. It applies the the TLS protocol to have secure connections.

Best regards,

Pierre Smits

ORRTIZ.COM<http://www.orrtiz.com>
Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade
http://www.orrtiz.com<http://www.orrtiz.com/>

On Thu, Nov 13, 2014 at 4:32 PM, <shushant.kakkar@lhsystems.com<mailto:shushant.kakkar@lhsystems.com>>
wrote:
Hello,

Due to the security breach "POODLE" (detailed information see attachment) it is recommended
to disable the support of the SSL v3 (and SSL v2) protocol (https://access.redhat.com/solutions/1232233).
We could not find any documentation how achieve this goal for Apache DS. Is there any recommendation
how to disable the protocol? Or will this issue be target in new release?

Best regards,
Shushant Kakkar

Von: KAKKAR, SHUSHANT
Gesendet: Montag, 10. November 2014 17:41
An: 'dev@directory.apache.org<mailto:dev@directory.apache.org>'
Betreff: Disable usage of SSL (SSLv2 and SSL v3) protocol

Hello,

Due to the security breach "POODLE" (detailed information see attachment) it is recommended
to disable the support of the SSL v3 (and SSL v2) protocol (https://access.redhat.com/solutions/1232233).
We could not find any documentation how achieve this goal. Is there any recommendation how
to disable the protocol? Or will this issue be target in new release?

Best regards,
Shushant Kakkar

Mime
View raw message