Le 14/11/14 10:55, [email protected] a écrit : > Hi, > > Well we use Java 1.7.0_71. > > The Security Advisory states “However, even if a client and server both > support a version of TLS, the security level offered by SSL 3.0 is still > relevant since many clients implement a protocol downgrade dance to work > around serverside interoperability bugs.” > > The recommendation is to disable SSLv3 either on client or serverside to > completely avoid an attack. We would like to do that on our serverside.
It *is* already disabled, as we enfore the use of TLS. I already said that two times. Asking a third time will not bring you any more comfort. At this point, I would suggest you check the code by yourself, and if you find some place where you think that SSL v3 can still be used, then fill a JIRA, and we will be very pleased to apply a patch in trunk. Also keep in mind that ApacheDS 1.0 is not anymore maintained, so I strongly suggest you either switch to ApacheDS 2.0, or you are totally on your own.
