Shibboleth Identity Provider Security Advisory [4 October 2017]

Tom Poage tfpoage at
Wed Oct 4 09:48:05 EDT 2017


> LDAP Data Connector insecure when using default JVM trust
> =========================================================
> A flaw in the library used by the LDAP data connector [1] causes the
> connector to fail to validate the server certificate and leaves it
> vulnerable to man in the middle attacks under the following conditions:
> 1. The connection is via LDAPS (NOT StartTLS).
> 2. The connection's trust configuration is left to the default Java
> cacerts file, so-called default JVM trust.

Is the vulnerability the 'AND' or an 'OR' of the two conditions?

(looking to rule out any assumptions on my part)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the users mailing list