You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2015/01/21 00:54:34 UTC

[jira] [Commented] (DIRSTUDIO-1011) ApacheStudio sends SSLv2 Client Hello

    [ https://issues.apache.org/jira/browse/DIRSTUDIO-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14284676#comment-14284676 ] 

Emmanuel Lecharny commented on DIRSTUDIO-1011:
----------------------------------------------

This is a negociation. The client is sending all the protocol it supports, and the server picks the strongest it supports on its side which matches with what the client has sent.

Natively, Java supports SSLv3 and TLS v1.0 on the client side (java 7) and SSLv3 to TLS v 1.2 (Java 8). Also see http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#sslv2protonote

You can configure Java on the client side so that it uses a higher level of protocol.

What is the Java version you are using ?

> ApacheStudio sends SSLv2 Client Hello
> -------------------------------------
>
>                 Key: DIRSTUDIO-1011
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1011
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
>            Reporter: Roy Wellington
>
> I'm attempting to configure TLS on a ApacheDS server. I've checked the boxes indicated by the docs; attempting to connect over either StartTLS or LDAPS both result in "SSL handshake failed."
> Tracing the conversation in Wireshark shows that ApacheDS is sending an SSLv2 (!) Client Hello, which the server responds to with a TLSv1.0 "Unexpected Message" (which is correct). ApacheDS should not be sending an SSLv2 Client Hello; instead, it should use the most recent version of TLS. (SSLv2, and SSLv3, are broken, and insecure.)
> Simply running,
> {noformat}
> % ldapsearch -H ldaps://<my domain>:10636
> {noformat}
> …gets me further in the conversation. (Although {{ldapsearch}} complains about a bad certificate, but that's because the cert is self-signed; Wireshark shows that it _is_ getting further in the SSL conversation (it is getting a Server Hello back) than ApacheDS.)
> Note: I'm connecting to an ApacheDS server running on a linux VM, through an SSH tunnel; I've edited /etc/hosts so that the DNS name still points to the right spot. This should not matter, and I can still connect with openssl (to the LDAPS side; obviously openssl is not capable of StartTLS).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)