[jira] [Resolved] (DIRSTUDIO-1011) ApacheStudio sends SSLv2 Client Hello

Mon, 21 Jun 2021 21:35:06 -0700 


     [ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Stefan Seelmann resolved DIRSTUDIO-1011.
----------------------------------------
    Resolution: Done

Tested with a current Java 11.0.11 and 17-ea, Studio sends either TLSv1.2 or 
TLSv1.3.
I assume it was caused by usage of older Java versions.

> ApacheStudio sends SSLv2 Client Hello
> -------------------------------------
>
>                 Key: DIRSTUDIO-1011
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1011
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
>            Reporter: Roy Wellington
>            Priority: Major
>
> I'm attempting to configure TLS on a ApacheDS server. I've checked the boxes 
> indicated by the docs; attempting to connect over either StartTLS or LDAPS 
> both result in "SSL handshake failed."
> Tracing the conversation in Wireshark shows that ApacheDS is sending an SSLv2 
> (!) Client Hello, which the server responds to with a TLSv1.0 "Unexpected 
> Message" (which is correct). ApacheDS should not be sending an SSLv2 Client 
> Hello; instead, it should use the most recent version of TLS. (SSLv2, and 
> SSLv3, are broken, and insecure.)
> Simply running,
> {noformat}
> % ldapsearch -H ldaps://<my domain>:10636
> {noformat}
> …gets me further in the conversation. (Although {{ldapsearch}} complains 
> about a bad certificate, but that's because the cert is self-signed; 
> Wireshark shows that it _is_ getting further in the SSL conversation (it is 
> getting a Server Hello back) than ApacheDS.)
> Note: I'm connecting to an ApacheDS server running on a linux VM, through an 
> SSH tunnel; I've edited /etc/hosts so that the DNS name still points to the 
> right spot. This should not matter, and I can still connect with openssl (to 
> the LDAPS side; obviously openssl is not capable of StartTLS).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org

Reply via email to