| Hi David (et al),
what is the right way to do this in the DS? (i am on 1.2.11.32)
i see under cn=config there is cn=encryption and there are nsSSL3Ciphers and nsSSLSupportCiphers (lots of these). The documentation just shows the simple on/off for SSL/TLS.
For me, my admin server has SSL on but it is behind a firewall so I am not concerned with adjusting it.
Thanks for pointers.
/mrg
On 10/15/2014 8:16 AM, Jan Tomasek
wrote:
is http://poodlebleed.com/
related to 389? I think it is, this is not implementation flaw in
OpenSSL, this seems to be related to the SSLv3 design.
From
http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
:
Is it relevant for HTTPS
only or also for IMAP/SMTP/OpenVPN and other protocols with SSL
support?The current attack vector
as shown by the researchers works with controlling the plaintext
sent to the server using _javascript_ being run on the victim's
machine. This vector does not apply to non-HTTPS scenarios without
using a browser. Also, normally an SSL
client doesn't allow the session to be downgraded to SSLv3 (having
TLSv1+ seen in the handshake capabilities), but browsers want to
be very backward compatible and the do. The combination with
controlling plaintext and the specific way a HTTP header is built
up makes it exploitable. Conclusion: disable SSLv3
for HTTPS now, disable SSLv3 for other services in
your next service window.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users |
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
