directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre Smits <>
Subject Re: AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol
Date Tue, 18 Nov 2014 22:52:51 GMT
Hi All,

We (as a community) thank you for having persisted, conducted tests and
shared with us your finding regarding the POODLE threat that is affecting
our Apache Directory Server up to current released milestone (2.0.0-M18).

We have found that a piece of software that we have taken from another open
source project and use a core element in our solution is creating this
issue. We are now working very hard to get a new milestone release out that
will ensure that remove this threat.

For more information regarding the POODLE threat and our Apache Directory
Server, have a look at: Please share your
concerns and insights there.

On behalf of the community, thank you.


Pierre Smits

Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade

On Fri, Nov 14, 2014 at 11:17 AM, <> wrote:

> Hi Emmanuel,
> well I asked the question again because I was not sure whether TLS just
> set as the protocol for the SSLConnext or the usage of TLS additionally is
> enforced.
> However, thanks for the clarification. We will switch to a newer version.
> Best regards,
> Shushant
> -----Ursprüngliche Nachricht-----
> Von: Emmanuel Lécharny []
> Gesendet: Freitag, 14. November 2014 11:04
> An:
> Betreff: Re: AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3)
> protocol
> Le 14/11/14 10:55, a écrit :
> > Hi,
> >
> > Well we use Java 1.7.0_71.
> >
> > The Security Advisory states “However, even if a client and server both
> support a version of TLS, the security level offered by SSL 3.0 is still
> relevant since many clients implement a protocol downgrade dance to work
> around serverside interoperability bugs.”
> >
> > The recommendation is to disable SSLv3 either on client or serverside to
> completely avoid an attack. We would like to do that on our serverside.
> It *is* already disabled, as we enfore the use of TLS.
> I already said that two times. Asking a third time will not bring you any
> more comfort.
> At this point, I would suggest you check the code by yourself, and if you
> find some place where you think that SSL v3 can still be used, then fill a
> JIRA, and we will be very pleased to apply a patch in trunk. Also keep in
> mind that ApacheDS 1.0 is not anymore maintained, so I strongly suggest you
> either switch to ApacheDS 2.0, or you are totally on your own.

View raw message