You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Stefan Seelmann (Jira)" <ji...@apache.org> on 2021/06/22 04:35:00 UTC

[jira] [Resolved] (DIRSTUDIO-1011) ApacheStudio sends SSLv2 Client Hello

     [ https://issues.apache.org/jira/browse/DIRSTUDIO-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Seelmann resolved DIRSTUDIO-1011.
----------------------------------------
    Resolution: Done

Tested with a current Java 11.0.11 and 17-ea, Studio sends either TLSv1.2 or TLSv1.3.
I assume it was caused by usage of older Java versions.

> ApacheStudio sends SSLv2 Client Hello
> -------------------------------------
>
>                 Key: DIRSTUDIO-1011
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1011
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
>            Reporter: Roy Wellington
>            Priority: Major
>
> I'm attempting to configure TLS on a ApacheDS server. I've checked the boxes indicated by the docs; attempting to connect over either StartTLS or LDAPS both result in "SSL handshake failed."
> Tracing the conversation in Wireshark shows that ApacheDS is sending an SSLv2 (!) Client Hello, which the server responds to with a TLSv1.0 "Unexpected Message" (which is correct). ApacheDS should not be sending an SSLv2 Client Hello; instead, it should use the most recent version of TLS. (SSLv2, and SSLv3, are broken, and insecure.)
> Simply running,
> {noformat}
> % ldapsearch -H ldaps://<my domain>:10636
> {noformat}
> …gets me further in the conversation. (Although {{ldapsearch}} complains about a bad certificate, but that's because the cert is self-signed; Wireshark shows that it _is_ getting further in the SSL conversation (it is getting a Server Hello back) than ApacheDS.)
> Note: I'm connecting to an ApacheDS server running on a linux VM, through an SSH tunnel; I've edited /etc/hosts so that the DNS name still points to the right spot. This should not matter, and I can still connect with openssl (to the LDAPS side; obviously openssl is not capable of StartTLS).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org