directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (DIRSERVER-2078) High Security Vulnerabilities Found when using LDAPs
Date Tue, 30 Jun 2015 19:26:05 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-2078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14608901#comment-14608901
] 

Emmanuel Lecharny edited comment on DIRSERVER-2078 at 6/30/15 7:25 PM:
-----------------------------------------------------------------------

No, you can only enable some. That means if you just enable {{TLSv1.2}}, no other version
will be accepted. If you don't add this parameter, the server will default to what is supported
by your JVM. Note that you can also tune your JVM to limit the ciphers and protocol to use.
See https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https


was (Author: elecharny):
No, you can only enabled some. That means if you just enable {{TLSv1.2}}, no other version
will be accepted.

> High Security Vulnerabilities Found when using LDAPs
> ----------------------------------------------------
>
>                 Key: DIRSERVER-2078
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2078
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: ldap
>    Affects Versions: 2.0.0-M20
>         Environment: Server 2008 R2, Java 8
>            Reporter: Tyler Neemann
>              Labels: security
>         Attachments: Anonymous.JPG, ClearText.JPG, FREAK.JPG
>
>
> Recent internal Qualys vulnerability scans are reporting High Security vulnerabilities
when using LDAPs. I have searched through the documentation and cannot find any remediation
to these issues. 
> Currently have LDAPs enabled, TLS enabled and Server Side password hashing enabled. Allow
anonymous access is disabled
> Issues found
> 1. SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability
> 2. SSL Server Allows Anonymous Authentication Vulnerability
> 3. SSL Server Allows Cleartext Communication Vulnerability
> Any help would be appreciated. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message