You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Roy Wellington (JIRA)" <ji...@apache.org> on 2015/01/20 22:46:34 UTC
[jira] [Created] (DIRSTUDIO-1011) ApacheStudio sends SSLv2 Client
Hello
Roy Wellington created DIRSTUDIO-1011:
-----------------------------------------
Summary: ApacheStudio sends SSLv2 Client Hello
Key: DIRSTUDIO-1011
URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1011
Project: Directory Studio
Issue Type: Bug
Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
Reporter: Roy Wellington
I'm attempting to configure TLS on a ApacheDS server. I've checked the boxes indicated by the docs; attempting to connect over either StartTLS or LDAPS both result in "SSL handshake failed."
Tracing the conversation in Wireshark shows that ApacheDS is sending an SSLv2 (!) Client Hello, which the server responds to with a TLSv1.0 "Unexpected Message" (which is correct). ApacheDS should not be sending an SSLv2 Client Hello; instead, it should use the most recent version of TLS. (SSLv2, and SSLv3, are broken, and insecure.)
Simply running,
{noformat}
% ldapsearch -H ldaps://<my domain>:10636
{noformat}
…gets me further in the conversation. (Although {{ldapsearch}} complains about a bad certificate, but that's because the cert is self-signed; Wireshark shows that it _is_ getting further in the SSL conversation (it is getting a Server Hello back) than ApacheDS.)
Note: I'm connecting to an ApacheDS server running on a linux VM, through an SSH tunnel; I've edited /etc/hosts so that the DNS name still points to the right spot. This should not matter, and I can still connect with openssl (to the LDAPS side; obviously openssl is not capable of StartTLS).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)