Shibboleth Identity Provider Security Advisory [4 October 2017]
Tom Poage
tfpoage at ucdavis.edu
Wed Oct 4 09:48:05 EDT 2017
Morning,
> LDAP Data Connector insecure when using default JVM trust
> =========================================================
> A flaw in the library used by the LDAP data connector [1] causes the
> connector to fail to validate the server certificate and leaves it
> vulnerable to man in the middle attacks under the following conditions:
>
> 1. The connection is via LDAPS (NOT StartTLS).
> 2. The connection's trust configuration is left to the default Java
> cacerts file, so-called default JVM trust.
Is the vulnerability the 'AND' or an 'OR' of the two conditions?
(looking to rule out any assumptions on my part)
Thanks.
Tom.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://shibboleth.net/pipermail/users/attachments/20171004/371d1f7f/attachment.sig>
More information about the users
mailing list