Hi Pierre, sorry I missed the previous reply. Thank you for the answer.
Just to recheck, if we did not misunderstand the breach, the main aspect is that SSLv2 and SSLv3 are available although the TLS is used. An attacker could enforce the usage of SSLv2 and SSLv3. So are these two protocols disabled? If yes, which version of Apache DS should we use? We currently use ApacheDS 1.0. Best regards, Shushant Von: Pierre Smits [mailto:[email protected]] Gesendet: Donnerstag, 13. November 2014 16:51 An: Apache Directory Developers List; KAKKAR, SHUSHANT Betreff: Re: [ApacheDS] Disable usage of SSL (SSLv2 and SSL v3) protocol Hi Shushant, As Emmanuel already stated in his reply on Nov 10th in the user mailing list, the Apache Directory Server is expected to be vulnerable with respect to the 'POODLE' breach as it doesn't apply the SSLv2 or SSLv3 protocol. It applies the the TLS protocol to have secure connections. Best regards, Pierre Smits ORRTIZ.COM<http://www.orrtiz.com> Services & Solutions for Cloud- Based Manufacturing, Professional Services and Retail & Trade http://www.orrtiz.com<http://www.orrtiz.com/> On Thu, Nov 13, 2014 at 4:32 PM, <[email protected]<mailto:[email protected]>> wrote: Hello, Due to the security breach "POODLE" (detailed information see attachment) it is recommended to disable the support of the SSL v3 (and SSL v2) protocol (https://access.redhat.com/solutions/1232233). We could not find any documentation how achieve this goal for Apache DS. Is there any recommendation how to disable the protocol? Or will this issue be target in new release? Best regards, Shushant Kakkar Von: KAKKAR, SHUSHANT Gesendet: Montag, 10. November 2014 17:41 An: '[email protected]<mailto:[email protected]>' Betreff: Disable usage of SSL (SSLv2 and SSL v3) protocol Hello, Due to the security breach "POODLE" (detailed information see attachment) it is recommended to disable the support of the SSL v3 (and SSL v2) protocol (https://access.redhat.com/solutions/1232233). We could not find any documentation how achieve this goal. Is there any recommendation how to disable the protocol? Or will this issue be target in new release? Best regards, Shushant Kakkar
