Re: How relevant is Poodlebleed Bug to 389?

Rich Megginson <rmeggins@xxxxxxxxxx> · Wed, 15 Oct 2014 13:20:37 -0600



    On 10/15/2014 12:34 PM, Michael Gettes
      wrote:

    
      Hi David (et al),
      

      what is the right way to do this in the DS?  (i am on
        1.2.11.32)
      

      i see under cn=config there is cn=encryption and there are
        nsSSL3Ciphers and nsSSLSupportCiphers (lots of these).  The
        documentation just shows the simple on/off for SSL/TLS.
    
    
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_SSL-Setting_Security_Preferences.html

    and

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsssl3ciphers

    and

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsSSL2

    and

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsSSL3

    and

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsTLS1

    
    You might be able to just set nsSSL2: off and nsSSL3: off and
    nsTLS1: on

    
      For me, my admin server has SSL on but it is behind a
        firewall so I am not concerned with adjusting it.
    
    
      Thanks for pointers.
      

      /mrg
      

            On Oct 15, 2014, at 12:12 PM, David Boreham <david_list@xxxxxxxxxxx>
              wrote:
            

                On 10/15/2014 8:16 AM, Jan
                  Tomasek wrote:

                
                is http://poodlebleed.com/
                  related to 389? I think it is, this is not
                  implementation flaw in OpenSSL, this seems to be
                  related to the SSLv3 design. 

                
                From http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
                :

                
                Is it
                  relevant for HTTPS only or also for IMAP/SMTP/OpenVPN
                  and other protocols with SSL support?
                The current attack vector as
                  shown by the researchers works with controlling the
                  plaintext sent to the server using _javascript_ being
                  run on the victim's machine. This vector does not
                  apply to non-HTTPS scenarios without using a browser.
                Also, normally an SSL client
                  doesn't allow the session to be downgraded to SSLv3
                  (having TLSv1+ seen in the handshake capabilities),
                  but browsers want to be very backward compatible and
                  the do. The combination with controlling plaintext and
                  the specific way a HTTP header is built up makes it
                  exploitable.
                Conclusion: disable SSLv3 for
                  HTTPS now,
                  disable SSLv3 for other services in your next service
                  window.

                
              --

              389 users mailing list

              389-users@xxxxxxxxxxxxxxxxxxxxxxx

              https://admin.fedoraproject.org/mailman/listinfo/389-users
          
          
      --
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
    
    
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: How relevant is Poodlebleed Bug to 389?

Is it relevant for HTTPS only or also for IMAP/SMTP/OpenVPN and other protocols with SSL support?