Shibboleth Identity Provider Security Advisory [4 October 2017]
tfpoage at ucdavis.edu
Wed Oct 4 09:48:05 EDT 2017
> LDAP Data Connector insecure when using default JVM trust
> A flaw in the library used by the LDAP data connector  causes the
> connector to fail to validate the server certificate and leaves it
> vulnerable to man in the middle attacks under the following conditions:
> 1. The connection is via LDAPS (NOT StartTLS).
> 2. The connection's trust configuration is left to the default Java
> cacerts file, so-called default JVM trust.
Is the vulnerability the 'AND' or an 'OR' of the two conditions?
(looking to rule out any assumptions on my part)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 236 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the users