Le 13/11/14 17:16, [email protected] a écrit : > Hi Pierre, > > sorry I missed the previous reply. Thank you for the answer. > > Just to recheck, if we did not misunderstand the breach, the main aspect is > that SSLv2 and SSLv3 are available although the TLS is used. An attacker > could enforce the usage of SSLv2 and SSLv3. So are these two protocols > disabled? If yes, which version of Apache DS should we use? We currently use > ApacheDS 1.0. The question is more : which Java version are you using ?
In any case, an attacker can't downgrade the server's protocol in use. You have to reconfigure the server to do that. Not likely to happen...
