Port used by CA LDAP identified to be vulnerable TLS_FALLBACK.
search cancel

Port used by CA LDAP identified to be vulnerable TLS_FALLBACK.

book

Article ID: 204437

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Environment CA LDAP (15.1) on z/OS V2.3.

Security tests have shown that the port used by CA LDAP could be vulnerable to the renegotiation by the Client (CVE-2011-1473) and 

did not use the TLS_FALLBACK_SCSV to prevent the downgrade to an earlier version of TLS. 

 

To resolve the problems

The following action was taken 

Added the parameter TLSProtocolMin: 

TLSKeyringName       CALDAP/CALDAP_keyring_label    
TLSCertificateLabel  CALDAP_certificat_label_signed 
TLSProtocolMin       tls1.2                                                

 

Is this the action to be taken to resolve this issue?

 

 

   

Environment

Top Secret 16.0

Component : CA LDAP Server 15.1

Resolution

The environment is controlled by IBM software.

LDAP is configured to use TLS1.2 or higher when set.

TLSProtocolMin TLS1.2

IBM software could be using other overrides such as GSK_XXX environment variables.

So it is IBM SSL that makes the final decisions on the settings.

Powered by Wolken Software