On Fri, Nov 14, 2014 at 5:55 PM, <[email protected]> wrote:
> Hi, > > > > Well we use Java 1.7.0_71. > > > then half of your problem is gone, java7 uses TLSv1 by default > The Security Advisory states “*However, even if a client and server both > support a version of TLS, the security level offered by SSL 3.0 is still > relevant since many clients implement a protocol downgrade dance to work > around serverside interoperability bugs.”* > > > > The recommendation is to disable SSLv3 either on client or serverside to > completely avoid an attack. We would like to do that on our serverside. > > > > We use the Apache DS libraries to create our own LDAP service imbedded in > our own process. The usage of Java 7 won’t help us to disable the SSLv3, as > the enabled protocols can only be defined per SSLContext. Thus the question > would be whether the SSLContext used by the Apache DS library already does > disable the SSLv3 per default or whether there is a way to inject any > SSLContext which does disable SSLv3? > nope, ApacheDS explicitly sets the protocol to TLSv1 in any custom SSLContexts it creates, like it was already mentioned by Emmanuel, you are safe. > > > Best regards, > > Shushant > > > > Le 13/11/14 17:16, [email protected] a écrit : > > > Hi Pierre, > > > > > > sorry I missed the previous reply. Thank you for the answer. > > > > > > Just to recheck, if we did not misunderstand the breach, the main aspect > is that SSLv2 > > and SSLv3 are available although the TLS is used. An attacker could > enforce the usage of SSLv2 > > and SSLv3. So are these two protocols disabled? If yes, which version of > Apache DS should > > we use? We currently use ApacheDS 1.0. > > The question is more : which Java version are you using ? > > > > In any case, an attacker can't downgrade the server's protocol in use. > > You have to reconfigure the server to do that. Not likely to happen... > > > > *Von:* KAKKAR, SHUSHANT > *Gesendet:* Donnerstag, 13. November 2014 17:16 > *An:* 'Pierre Smits'; Apache Directory Developers List > *Betreff:* AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol > > > > Hi Pierre, > > > > sorry I missed the previous reply. Thank you for the answer. > > > > Just to recheck, if we did not misunderstand the breach, the main aspect > is that SSLv2 and SSLv3 are available although the TLS is used. An attacker > could enforce the usage of SSLv2 and SSLv3. So are these two protocols > disabled? If yes, which version of Apache DS should we use? We currently > use ApacheDS 1.0. > > > > Best regards, > > Shushant > > > > *Von:* Pierre Smits [mailto:[email protected] > <[email protected]>] > *Gesendet:* Donnerstag, 13. November 2014 16:51 > *An:* Apache Directory Developers List; KAKKAR, SHUSHANT > *Betreff:* Re: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol > > > > Hi Shushant, > > > > As Emmanuel already stated in his reply on Nov 10th in the user mailing > list, the Apache Directory Server is expected to be vulnerable with respect > to the 'POODLE' breach as it doesn't apply the SSLv2 or SSLv3 protocol. It > applies the the TLS protocol to have secure connections. > > > > Best regards, > > > Pierre Smits > > > > *ORRTIZ.COM <http://www.orrtiz.com>* > > Services & Solutions for Cloud- > > Based Manufacturing, Professional > > Services and Retail & Trade > > http://www.orrtiz.com > > > > On Thu, Nov 13, 2014 at 4:32 PM, <[email protected]> wrote: > > Hello, > > > > Due to the security breach "POODLE" (detailed information see attachment) > it is recommended to disable the support of the SSL v3 (and SSL v2) > protocol (https://access.redhat.com/solutions/1232233). We could not find > any documentation how achieve this goal for Apache DS. Is there any > recommendation how to disable the protocol? Or will this issue be target in > new release? > > > > Best regards, > > Shushant Kakkar > > > > *Von:* KAKKAR, SHUSHANT > *Gesendet:* Montag, 10. November 2014 17:41 > *An:* '[email protected]' > *Betreff:* Disable usage of SSL (SSLv2 and SSL v3) protocol > > > > Hello, > > > > Due to the security breach "POODLE" (detailed information see attachment) > it is recommended to disable the support of the SSL v3 (and SSL v2) > protocol (https://access.redhat.com/solutions/1232233). We could not find > any documentation how achieve this goal. Is there any recommendation how to > disable the protocol? Or will this issue be target in new release? > > > > Best regards, > > Shushant Kakkar > > > -- Kiran Ayyagari http://keydap.com
