We have a tool which scans the servers for the latest Vulnerabilities. So in the server where we have apacheDS only running we got an SSLv3(poodle vulnerability) on the port which is used by apacheds on SSL.
It doesn't say at the code level but clearly states my LDAPS port is vulnerable. Below is the details it give me in the scan report although its generic.
The SSL protocol 3.0 design error, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attacks.
The target supports SSLv3, which makes it vulnerable to POODLE (Padding Oracle On Downgraded Legacy Encryption), even if it also supports more recent versions of TLS. It's subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3.
An attacker who can take a man-in-the-middle (MitM) position can exploit this vulnerability and gain access to encrypted communication between a client and server.
When I ran the openssl check it does say SSlv3 as the one being used and available,If server is using TLS then it shouldn't return this,
I know we use TLS and there is no option for choosing anything else , is there any way to enforce SSLv3 to be disabled at all?
Am using apache DS 2.0.0.M-10 and java 6 latest update.