Hi All, We (as a community) thank you for having persisted, conducted tests and shared with us your finding regarding the POODLE threat that is affecting our Apache Directory Server up to current released milestone (2.0.0-M18).
We have found that a piece of software that we have taken from another open source project and use a core element in our solution is creating this issue. We are now working very hard to get a new milestone release out that will ensure that remove this threat. For more information regarding the POODLE threat and our Apache Directory Server, have a look at: https://issues.apache.org/jira/browse/DIRSERVER-2020. Please share your concerns and insights there. On behalf of the community, thank you. Regards, Pierre Smits *ORRTIZ.COM <http://www.orrtiz.com>* Services & Solutions for Cloud- Based Manufacturing, Professional Services and Retail & Trade http://www.orrtiz.com On Fri, Nov 14, 2014 at 11:17 AM, <[email protected]> wrote: > Hi Emmanuel, > > well I asked the question again because I was not sure whether TLS just > set as the protocol for the SSLConnext or the usage of TLS additionally is > enforced. > > However, thanks for the clarification. We will switch to a newer version. > > Best regards, > Shushant > > > -----Ursprüngliche Nachricht----- > Von: Emmanuel Lécharny [mailto:[email protected]] > Gesendet: Freitag, 14. November 2014 11:04 > An: [email protected] > Betreff: Re: AW: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) > protocol > > Le 14/11/14 10:55, [email protected] a écrit : > > Hi, > > > > Well we use Java 1.7.0_71. > > > > The Security Advisory states “However, even if a client and server both > support a version of TLS, the security level offered by SSL 3.0 is still > relevant since many clients implement a protocol downgrade dance to work > around serverside interoperability bugs.” > > > > The recommendation is to disable SSLv3 either on client or serverside to > completely avoid an attack. We would like to do that on our serverside. > > It *is* already disabled, as we enfore the use of TLS. > > I already said that two times. Asking a third time will not bring you any > more comfort. > > At this point, I would suggest you check the code by yourself, and if you > find some place where you think that SSL v3 can still be used, then fill a > JIRA, and we will be very pleased to apply a patch in trunk. Also keep in > mind that ApacheDS 1.0 is not anymore maintained, so I strongly suggest you > either switch to ApacheDS 2.0, or you are totally on your own. >
