Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Directory)  >   OpenLDAP Vendors:
OpenLDAP May Ignore TLSCipherSuite Setting in Some Cases
SecurityTracker Alert ID:  1027127
SecurityTracker URL:
CVE Reference:   CVE-2012-2668   (Links to External Site)
Date:  Jun 6 2012
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in OpenLDAP. The system may use a weaker cipher suite than specified.

When the Mozilla NSS backend is used, the OpenLDAP software ignores the TLSCipherSuite setting and instead uses the default cipher suite, which may contain some weak ciphers.

The vulnerability resides in 'libraries/libldap/tls_m.c'.

Tim Strobell reported this vulnerability.

Impact:   The system may use weaker ciphers than specified in the configuration file.
Solution:   The vendor has issued a source code fix, available at:;a=commit;h=2c2bb2e

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 8 2012 (Red Hat Issues Fix) OpenLDAP May Ignore TLSCipherSuite Setting in Some Cases
Red Hat has issued a fix for Red Hat Enterprise Linux 6.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC