directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol
Date Fri, 14 Nov 2014 10:02:41 GMT
On Fri, Nov 14, 2014 at 5:55 PM, <shushant.kakkar@lhsystems.com> wrote:

>  Hi,
>
>
>
> Well we use Java 1.7.0_71.
>
>
>
then half of your problem is gone, java7 uses TLSv1 by default

>  The Security Advisory states “*However, even if a client and server both
> support a version of TLS, the security level offered by SSL 3.0 is still
> relevant since many clients implement a protocol downgrade dance to work
> around serverside interoperability bugs.”*
>
>
>
> The recommendation is to disable SSLv3 either on client or serverside to
> completely avoid an attack. We would like to do that on our serverside.
>
>
>
> We use the Apache DS libraries to create our own LDAP service imbedded in
> our own process. The usage of Java 7 won’t help us to disable the SSLv3, as
> the enabled protocols can only be defined per SSLContext. Thus the question
> would be whether the SSLContext used by the Apache DS library already does
> disable the SSLv3 per default or whether there is a way to inject any
> SSLContext which does disable SSLv3?
>
nope, ApacheDS explicitly sets the protocol to TLSv1 in any custom
SSLContexts it creates,
like it was already mentioned by Emmanuel, you are safe.

>
>
> Best regards,
>
> Shushant
>
>
>
> Le 13/11/14 17:16, shushant.kakkar@lhsystems.com a écrit :
>
> > Hi Pierre,
>
> >
>
> > sorry I missed the previous reply. Thank you for the answer.
>
> >
>
> > Just to recheck, if we did not misunderstand the breach, the main aspect
> is that SSLv2
>
> and SSLv3 are available although the TLS is used. An attacker could
> enforce the usage of SSLv2
>
> and SSLv3. So are these two protocols disabled? If yes, which version of
> Apache DS should
>
> we use? We currently use ApacheDS 1.0.
>
> The question is more : which Java version are you using ?
>
>
>
> In any case, an attacker can't downgrade the server's protocol in use.
>
> You have to reconfigure the server to do that. Not likely to happen...
>
>
>
> *Von:* KAKKAR, SHUSHANT
> *Gesendet:* Donnerstag, 13. November 2014 17:16
> *An:* 'Pierre Smits'; Apache Directory Developers List
> *Betreff:* AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol
>
>
>
> Hi Pierre,
>
>
>
> sorry I missed the previous reply. Thank you for the answer.
>
>
>
> Just to recheck, if we did not misunderstand the breach, the main aspect
> is that SSLv2 and SSLv3 are available although the TLS is used. An attacker
> could enforce the usage of SSLv2 and SSLv3. So are these two protocols
> disabled? If yes, which version of Apache DS should we use? We currently
> use ApacheDS 1.0.
>
>
>
> Best regards,
>
> Shushant
>
>
>
> *Von:* Pierre Smits [mailto:pierre.smits@gmail.com
> <pierre.smits@gmail.com>]
> *Gesendet:* Donnerstag, 13. November 2014 16:51
> *An:* Apache Directory Developers List; KAKKAR, SHUSHANT
> *Betreff:* Re: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol
>
>
>
> Hi Shushant,
>
>
>
> As Emmanuel already stated in his reply on Nov 10th in the user mailing
> list, the Apache Directory Server is expected to be vulnerable with respect
> to the 'POODLE' breach as it doesn't apply the SSLv2 or SSLv3 protocol. It
> applies the the TLS protocol to have secure connections.
>
>
>
> Best regards,
>
>
>   Pierre Smits
>
>
>
> *ORRTIZ.COM <http://www.orrtiz.com>*
>
> Services & Solutions for Cloud-
>
> Based Manufacturing, Professional
>
> Services and Retail & Trade
>
> http://www.orrtiz.com
>
>
>
> On Thu, Nov 13, 2014 at 4:32 PM, <shushant.kakkar@lhsystems.com> wrote:
>
> Hello,
>
>
>
> Due to the security breach "POODLE" (detailed information see attachment)
> it is recommended to disable the support of the SSL v3 (and SSL v2)
> protocol (https://access.redhat.com/solutions/1232233). We could not find
> any documentation how achieve this goal for Apache DS. Is there any
> recommendation how to disable the protocol? Or will this issue be target in
> new release?
>
>
>
> Best regards,
>
> Shushant Kakkar
>
>
>
> *Von:* KAKKAR, SHUSHANT
> *Gesendet:* Montag, 10. November 2014 17:41
> *An:* 'dev@directory.apache.org'
> *Betreff:* Disable usage of SSL (SSLv2 and SSL v3) protocol
>
>
>
> Hello,
>
>
>
> Due to the security breach "POODLE" (detailed information see attachment)
> it is recommended to disable the support of the SSL v3 (and SSL v2)
> protocol (https://access.redhat.com/solutions/1232233). We could not find
> any documentation how achieve this goal. Is there any recommendation how to
> disable the protocol? Or will this issue be target in new release?
>
>
>
> Best regards,
>
> Shushant Kakkar
>
>
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message