Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 533ADC497 for ; Fri, 14 Nov 2014 10:02:48 +0000 (UTC) Received: (qmail 27633 invoked by uid 500); 14 Nov 2014 10:02:47 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 27586 invoked by uid 500); 14 Nov 2014 10:02:47 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 27576 invoked by uid 99); 14 Nov 2014 10:02:47 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Nov 2014 10:02:47 +0000 Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 0FCF91A02FC for ; Fri, 14 Nov 2014 10:01:46 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id ex7so2129046wid.9 for ; Fri, 14 Nov 2014 02:02:41 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.180.108.144 with SMTP id hk16mr6013955wib.68.1415959361811; Fri, 14 Nov 2014 02:02:41 -0800 (PST) Received: by 10.216.171.134 with HTTP; Fri, 14 Nov 2014 02:02:41 -0800 (PST) In-Reply-To: <833DB064A67D784E8DED059C123566DD272DC3E7@SW-FRAADS-MBX38.ads.dlh.de> References: <833DB064A67D784E8DED059C123566DD272DBCD2@SW-FRAADS-MBX38.ads.dlh.de> <833DB064A67D784E8DED059C123566DD272DC3E7@SW-FRAADS-MBX38.ads.dlh.de> Date: Fri, 14 Nov 2014 18:02:41 +0800 Message-ID: Subject: Re: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol From: Kiran Ayyagari To: Apache Directory Developers List Content-Type: multipart/alternative; boundary=e89a8f3ba333c6fc630507cebabe --e89a8f3ba333c6fc630507cebabe Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Fri, Nov 14, 2014 at 5:55 PM, wrote: > Hi, > > > > Well we use Java 1.7.0_71. > > > then half of your problem is gone, java7 uses TLSv1 by default > The Security Advisory states =E2=80=9C*However, even if a client and ser= ver both > support a version of TLS, the security level offered by SSL 3.0 is still > relevant since many clients implement a protocol downgrade dance to work > around serverside interoperability bugs.=E2=80=9D* > > > > The recommendation is to disable SSLv3 either on client or serverside to > completely avoid an attack. We would like to do that on our serverside. > > > > We use the Apache DS libraries to create our own LDAP service imbedded in > our own process. The usage of Java 7 won=E2=80=99t help us to disable the= SSLv3, as > the enabled protocols can only be defined per SSLContext. Thus the questi= on > would be whether the SSLContext used by the Apache DS library already doe= s > disable the SSLv3 per default or whether there is a way to inject any > SSLContext which does disable SSLv3? > nope, ApacheDS explicitly sets the protocol to TLSv1 in any custom SSLContexts it creates, like it was already mentioned by Emmanuel, you are safe. > > > Best regards, > > Shushant > > > > Le 13/11/14 17:16, shushant.kakkar@lhsystems.com a =C3=A9crit : > > > Hi Pierre, > > > > > > sorry I missed the previous reply. Thank you for the answer. > > > > > > Just to recheck, if we did not misunderstand the breach, the main aspec= t > is that SSLv2 > > and SSLv3 are available although the TLS is used. An attacker could > enforce the usage of SSLv2 > > and SSLv3. So are these two protocols disabled? If yes, which version of > Apache DS should > > we use? We currently use ApacheDS 1.0. > > The question is more : which Java version are you using ? > > > > In any case, an attacker can't downgrade the server's protocol in use. > > You have to reconfigure the server to do that. Not likely to happen... > > > > *Von:* KAKKAR, SHUSHANT > *Gesendet:* Donnerstag, 13. November 2014 17:16 > *An:* 'Pierre Smits'; Apache Directory Developers List > *Betreff:* AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protoco= l > > > > Hi Pierre, > > > > sorry I missed the previous reply. Thank you for the answer. > > > > Just to recheck, if we did not misunderstand the breach, the main aspect > is that SSLv2 and SSLv3 are available although the TLS is used. An attack= er > could enforce the usage of SSLv2 and SSLv3. So are these two protocols > disabled? If yes, which version of Apache DS should we use? We currently > use ApacheDS 1.0. > > > > Best regards, > > Shushant > > > > *Von:* Pierre Smits [mailto:pierre.smits@gmail.com > ] > *Gesendet:* Donnerstag, 13. November 2014 16:51 > *An:* Apache Directory Developers List; KAKKAR, SHUSHANT > *Betreff:* Re: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protoco= l > > > > Hi Shushant, > > > > As Emmanuel already stated in his reply on Nov 10th in the user mailing > list, the Apache Directory Server is expected to be vulnerable with respe= ct > to the 'POODLE' breach as it doesn't apply the SSLv2 or SSLv3 protocol. I= t > applies the the TLS protocol to have secure connections. > > > > Best regards, > > > Pierre Smits > > > > *ORRTIZ.COM * > > Services & Solutions for Cloud- > > Based Manufacturing, Professional > > Services and Retail & Trade > > http://www.orrtiz.com > > > > On Thu, Nov 13, 2014 at 4:32 PM, wrote: > > Hello, > > > > Due to the security breach "POODLE" (detailed information see attachment) > it is recommended to disable the support of the SSL v3 (and SSL v2) > protocol (https://access.redhat.com/solutions/1232233). We could not find > any documentation how achieve this goal for Apache DS. Is there any > recommendation how to disable the protocol? Or will this issue be target = in > new release? > > > > Best regards, > > Shushant Kakkar > > > > *Von:* KAKKAR, SHUSHANT > *Gesendet:* Montag, 10. November 2014 17:41 > *An:* 'dev@directory.apache.org' > *Betreff:* Disable usage of SSL (SSLv2 and SSL v3) protocol > > > > Hello, > > > > Due to the security breach "POODLE" (detailed information see attachment) > it is recommended to disable the support of the SSL v3 (and SSL v2) > protocol (https://access.redhat.com/solutions/1232233). We could not find > any documentation how achieve this goal. Is there any recommendation how = to > disable the protocol? Or will this issue be target in new release? > > > > Best regards, > > Shushant Kakkar > > > --=20 Kiran Ayyagari http://keydap.com --e89a8f3ba333c6fc630507cebabe Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Fri, Nov 14, 2014 at 5:55 PM, <shushant.kakkar@lhsyste= ms.com> wrote:

Hi,=

=C2= =A0

Well we us= e Java 1.7.0_71.

=C2= =A0

then half of your problem is go= ne, java7 uses TLSv1 by default

<= span style=3D"font-size:11.0pt;font-family:"Calibri","sans-s= erif";color:#1f497d" lang=3D"EN-US">

The Securi= ty Advisory states =E2=80=9CHowever, even if a client and server both su= pport a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work a= round serverside interoperability bugs.=E2=80=9D

=C2= =A0

The recomm= endation is to disable SSLv3 either on client or serverside to completely a= void an attack. We would like to do that on our serverside.

=C2= =A0

We use the= Apache DS libraries to create our own LDAP service imbedded in our own pro= cess. The usage of Java 7 won=E2=80=99t help us to disable the SSLv3, as the enabled protocols can only be defined per SSLContext. Thus the ques= tion would be whether the SSLContext used by the Apache DS library already = does disable the SSLv3 per default or whether there is a way to inject any = SSLContext which does disable SSLv3?

nope, ApacheDS explicitly sets the protocol to TLSv1 in any custom SSLCon= texts it creates,
like it was already mentioned by Emmanuel, = you are safe.

=C2= =A0

Best regar= ds,

Shushant

=C2= =A0

Le 13/11/1= 4 17:16, shushant.kakkar@lhsystems.com a =C3=A9crit :

> Hi Pi= erre,

>=C2=A0

> sorry= I missed the previous reply. Thank you for the answer.

>=C2=A0

> Just = to recheck, if we did not misunderstand the breach, the main aspect is that= SSLv2

and SSLv3 = are available although the TLS is used. An attacker could enforce the usage= of SSLv2

and SSLv3.= So are these two protocols disabled? If yes, which version of Apache DS sh= ould

we use? We= currently use ApacheDS 1.0.

The questi= on is more : which Java version are you using ?

=C2= =A0

In any cas= e, an attacker can't downgrade the server's protocol in use.=

You have t= o reconfigure the server to do that. Not likely to happen...

=C2=A0

Von: KAKKAR, S= HUSHANT
Gesendet: Donnerstag, 13. November 2014 17:16
An: 'Pierre Smits'; Apache Directory Developers List
Betreff: AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) prot= ocol

=C2=A0

Hi Pierre,<= /span>

=C2=A0

sorry I mi= ssed the previous reply. Thank you for the answer.

=C2= =A0

Just to re= check, if we did not misunderstand the breach, the main aspect is that SSLv= 2 and SSLv3 are available although the TLS is used. An attacker could enforce the usage of SSLv2 and SSLv3. So are these two protocols dis= abled? If yes, which version of Apache DS should we use? We currently use A= pacheDS 1.0.

=C2= =A0

Bes= t regards,

Shushant

=C2= =A0

Von: Pierre Smits [mailto:pierre.smits@gmail.com]
Gesendet: Donnerstag, 13. November 2014 16:51
An: Apache Directory Developers List; KAKKAR, SHUSHANT
Betreff: Re: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v= 3) protocol

=C2=A0

Hi Shushant,

=C2=A0

As Emmanuel already stat= ed in his reply on Nov 10th in the user mailing list, the Apache Directory = Server is expected to be vulnerable with respect to the 'POODLE' br= each as it doesn't apply the SSLv2 or SSLv3 protocol. It applies the the TLS protocol to have secure connections.=C2= =A0

=C2=A0

Best regards,


Pierre Smits

=C2=A0

Services & Solutions for Cloud-

Based Manufacturing, Professional

Services and Retail & Trade

=C2=A0

On Thu, Nov 13, 2014 at 4:32 PM, <shushant.kakkar@lhsyste= ms.com> wrote:

Hello,<= /span>

=C2=A0<= /span>

Due to = the security breach "POODLE" (detailed information see attachment= ) it is recommended to disable the support of the SSL v3 (and SSL v2) protocol (https://access.redhat.com/solutions/1232233). We could no= t find any documentation how achieve this goal for Apache DS. Is there any = recommendation how to disable the protocol? Or will this issue be target in new release?

=C2=A0<= /span>

Best regards,

Shushant Kakkar=

=C2=A0

Von: KAKKAR, S= HUSHANT
Gesendet: Montag, 10. November 2014 17:41
An: 'dev@directory.apache.org'
Betreff: Disable usage of SSL (SSLv2 and SSL v3) protocol<= /u>

=C2=A0

Hello,

=C2=A0

Due to the security breach &quo= t;POODLE" (detailed information see attachment) it is recommended to d= isable the support of the SSL v3 (and SSL v2) protocol (https://access.redha= t.com/solutions/1232233). We could not find any documentation how achieve this goal. Is there any re= commendation how to disable the protocol? Or will this issue be target in n= ew release?

=C2=A0

Best regards,<= /u>

Shushant Kakkar

=C2=A0




--
Kiran Ayyagari
h= ttp://keydap.com
--e89a8f3ba333c6fc630507cebabe--