Shib IDP's LDAPS attribute resolution and SSLv3

David Langenberg davel at uchicago.edu
Thu Oct 16 09:54:34 EDT 2014


Your assumption in this case is that the LDAP servers are locked down only
to the network and not wide open to the world to support use-cases such as
client-side address-books.  If the LDAP service is open to the world,
you're right back at starbucks on the open WIFI and have good reason to
immediately shut down SSLv3.

Dave

On Thu, Oct 16, 2014 at 12:23 AM, Rhys Smith <Smith at cardiff.ac.uk> wrote:

> Disclaimer: I’ve only had time to have a quick glance through how POODLE
> works, so please correct me if I’m wrong everybody!
>
> With the caveat of that disclaimer - It should be said for those reading
> this who are panicking about their ldaps connections, from what I
> understand the POODLE attack requires:
> a) the attacker being able to intercept traffic
> b) a client that will downgrade from TLS1 to SSLv3
> c) to be able to inject data into the connection to make the client retry.
>
> So, for those running doing web browser stuff over the wifi in starbucks
> where the client is a web browser which does javascript, this is bad. For
> an LDAP connection on a relatively secure corporate network where the
> client is a set of LDAP libraries, this is less bad.
>
> Not saying people shouldn’t be considering disabling SSLv3 everywhere now,
> just that I don’t think there are really known attack vectors for poodle in
> the ldaps circumstance - yet. So web servers should be switching off SSLv3
> support now, but LDAP servers on corporate networks… we probably have a bit
> of time to sort this out in a more orderly manner with a bit more testing
> and thought before we turn off SSLv3 support.
>
> Anyway, just my 2c, and happy to be corrected (well, not happy per se, as
> it’ll make everyone’s lives more difficult!).
> Rhys.
> --
> Dr Rhys Smith
> Identity, Access, and Middleware Specialist
> Cardiff University & Janet, the UK's research and education network
>
> email: smith at cardiff.ac.uk / rhys.smith at ja.net
> GPG: 0x4638C985
>
> On 16 Oct 2014, at 04:50, Daniel Fisher <dfisher at vt.edu> wrote:
>
> > On Wed, Oct 15, 2014 at 3:56 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> >> On 10/15/14, 3:30 PM, "Wessel, Keith" <kwessel at illinois.edu> wrote:
> >>
> >>> Hi, all,
> >>>
> >>> Our AD folks just turned off SSLv3 support on our AD LDAPS service.
> Shib
> >>> didn¹t like it.
> >>
> >> A little quick searching implies to me that the
> >> java.naming.security.protocol JNDI property is what controls this in
> Java,
> >> and the only value it appears to have is ssl [1]. Which probably means
> it
> >> doesn't support TLS.
> >>
> >> There is no actual standard for running LDAP over SSL, and I think the
> way
> >> TLS is handled is with StartTLS, and that's probably why Java doesn't
> >> support it.
> >>
> >> Daniel probably knows the specifics, but offhand I'd say it's apparently
> >> time to dump ldaps or somebody will need to complain to Oracle.
> >>
> >
> > You should be able to use either the SSLv3 or TLSv1 protocols with
> > LDAPS or startTLS.
> > I'll do some more testing tomorrow to confirm.
> > We're considering disabling SSLv3 support on our directories as well.
> >
> > --Daniel Fisher
> > --
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>



-- 
David Langenberg
Identity & Access Management
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141016/72f8d872/attachment.html 


More information about the users mailing list