You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Roy Wellington (JIRA)" <ji...@apache.org> on 2015/01/20 22:46:34 UTC

[jira] [Created] (DIRSTUDIO-1011) ApacheStudio sends SSLv2 Client Hello

Roy Wellington created DIRSTUDIO-1011:
-----------------------------------------

             Summary: ApacheStudio sends SSLv2 Client Hello
                 Key: DIRSTUDIO-1011
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1011
             Project: Directory Studio
          Issue Type: Bug
    Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
            Reporter: Roy Wellington


I'm attempting to configure TLS on a ApacheDS server. I've checked the boxes indicated by the docs; attempting to connect over either StartTLS or LDAPS both result in "SSL handshake failed."

Tracing the conversation in Wireshark shows that ApacheDS is sending an SSLv2 (!) Client Hello, which the server responds to with a TLSv1.0 "Unexpected Message" (which is correct). ApacheDS should not be sending an SSLv2 Client Hello; instead, it should use the most recent version of TLS. (SSLv2, and SSLv3, are broken, and insecure.)

Simply running,

{noformat}
% ldapsearch -H ldaps://<my domain>:10636
{noformat}

…gets me further in the conversation. (Although {{ldapsearch}} complains about a bad certificate, but that's because the cert is self-signed; Wireshark shows that it _is_ getting further in the SSL conversation (it is getting a Server Hello back) than ApacheDS.)

Note: I'm connecting to an ApacheDS server running on a linux VM, through an SSH tunnel; I've edited /etc/hosts so that the DNS name still points to the right spot. This should not matter, and I can still connect with openssl (to the LDAPS side; obviously openssl is not capable of StartTLS).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)