Hi Emmanuel, well I asked the question again because I was not sure whether TLS just set as the protocol for the SSLConnext or the usage of TLS additionally is enforced.
However, thanks for the clarification. We will switch to a newer version. Best regards, Shushant -----Ursprüngliche Nachricht----- Von: Emmanuel Lécharny [mailto:[email protected]] Gesendet: Freitag, 14. November 2014 11:04 An: [email protected] Betreff: Re: AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol Le 14/11/14 10:55, [email protected] a écrit : > Hi, > > Well we use Java 1.7.0_71. > > The Security Advisory states “However, even if a client and server both > support a version of TLS, the security level offered by SSL 3.0 is still > relevant since many clients implement a protocol downgrade dance to work > around serverside interoperability bugs.” > > The recommendation is to disable SSLv3 either on client or serverside to > completely avoid an attack. We would like to do that on our serverside. It *is* already disabled, as we enfore the use of TLS. I already said that two times. Asking a third time will not bring you any more comfort. At this point, I would suggest you check the code by yourself, and if you find some place where you think that SSL v3 can still be used, then fill a JIRA, and we will be very pleased to apply a patch in trunk. Also keep in mind that ApacheDS 1.0 is not anymore maintained, so I strongly suggest you either switch to ApacheDS 2.0, or you are totally on your own.
