[
https://issues.apache.org/jira/browse/DIRSERVER-2078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14608901#comment-14608901
]
Emmanuel Lecharny edited comment on DIRSERVER-2078 at 6/30/15 7:25 PM:
-----------------------------------------------------------------------
No, you can only enable some. That means if you just enable {{TLSv1.2}}, no
other version will be accepted. If you don't add this parameter, the server
will default to what is supported by your JVM. Note that you can also tune your
JVM to limit the ciphers and protocol to use. See
https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https
was (Author: elecharny):
No, you can only enabled some. That means if you just enable {{TLSv1.2}}, no
other version will be accepted.
> High Security Vulnerabilities Found when using LDAPs
> ----------------------------------------------------
>
> Key: DIRSERVER-2078
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2078
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 2.0.0-M20
> Environment: Server 2008 R2, Java 8
> Reporter: Tyler Neemann
> Labels: security
> Attachments: Anonymous.JPG, ClearText.JPG, FREAK.JPG
>
>
> Recent internal Qualys vulnerability scans are reporting High Security
> vulnerabilities when using LDAPs. I have searched through the documentation
> and cannot find any remediation to these issues.
> Currently have LDAPs enabled, TLS enabled and Server Side password hashing
> enabled. Allow anonymous access is disabled
> Issues found
> 1. SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability
> 2. SSL Server Allows Anonymous Authentication Vulnerability
> 3. SSL Server Allows Cleartext Communication Vulnerability
> Any help would be appreciated.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
