directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSTUDIO-1011) ApacheStudio sends SSLv2 Client Hello
Date Tue, 20 Jan 2015 23:54:34 GMT

    [ https://issues.apache.org/jira/browse/DIRSTUDIO-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14284676#comment-14284676
] 

Emmanuel Lecharny commented on DIRSTUDIO-1011:
----------------------------------------------

This is a negociation. The client is sending all the protocol it supports, and the server
picks the strongest it supports on its side which matches with what the client has sent.

Natively, Java supports SSLv3 and TLS v1.0 on the client side (java 7) and SSLv3 to TLS v
1.2 (Java 8). Also see http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#sslv2protonote

You can configure Java on the client side so that it uses a higher level of protocol.

What is the Java version you are using ?

> ApacheStudio sends SSLv2 Client Hello
> -------------------------------------
>
>                 Key: DIRSTUDIO-1011
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1011
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
>            Reporter: Roy Wellington
>
> I'm attempting to configure TLS on a ApacheDS server. I've checked the boxes indicated
by the docs; attempting to connect over either StartTLS or LDAPS both result in "SSL handshake
failed."
> Tracing the conversation in Wireshark shows that ApacheDS is sending an SSLv2 (!) Client
Hello, which the server responds to with a TLSv1.0 "Unexpected Message" (which is correct).
ApacheDS should not be sending an SSLv2 Client Hello; instead, it should use the most recent
version of TLS. (SSLv2, and SSLv3, are broken, and insecure.)
> Simply running,
> {noformat}
> % ldapsearch -H ldaps://<my domain>:10636
> {noformat}
> …gets me further in the conversation. (Although {{ldapsearch}} complains about a bad
certificate, but that's because the cert is self-signed; Wireshark shows that it _is_ getting
further in the SSL conversation (it is getting a Server Hello back) than ApacheDS.)
> Note: I'm connecting to an ApacheDS server running on a linux VM, through an SSH tunnel;
I've edited /etc/hosts so that the DNS name still points to the right spot. This should not
matter, and I can still connect with openssl (to the LDAPS side; obviously openssl is not
capable of StartTLS).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message