Re: POODLE: cve-2014-3566

Mark Reynolds <mareynol@xxxxxxxxxx> · Tue, 3 May 2016 12:25:44 -0400



    On 05/03/2016 11:38 AM, Derek Belcher
      wrote:

    
              The 389ds website is down. 

              
    We are currently working on getting the site back up.  The hosting
    service(openshift) is misbehaving, and we are waiting for
    assistance.

    
    Here is the contents of that page:

    
    # How to Disable SSLv3

    --------------------------

    
    With the recent discovery of the Poodlebleed vulnerability bug
    (2014/10/15), a minimum of TLS1.1 should be used instead of SSLv3.

    
    ### Disable SSLv3 in 389 Directory Server

    
    Here is an example of how to use ldapmodify to disable SSLv3 and
    enable TLS

    
        # ldapmodify -D "cn=directory manager" -W

        dn: cn=encryption,cn=config

        changetype: modify

        replace: nsSSL2

        nsSSL2: off

        -

        replace: nsSSL3

        nsSSL3: off

        -

        replace: nsTLS1

        nsTLS1: on

    
    Set the SSL version range to enforce TLS1.1 through TLS1.2.

    
        # ldapmodify -D "cn=directory manager" -W

        dn: cn=encryption,cn=config

        changetype: modify

        replace: sslVersionMin

        sslVersionMin: TLS1.1

        -

        replace: sslVersionMax

        sslVersionMax: TLS1.2

    
    Note: If sslVersionMax is not explicitly set, the supported version
    by the installed NSS is applied to sslVersionMax. If sslVersionMin
    is not explicitly set, even if NSS supports SSL3, TLS1.0 is set to
    sslVersionMin, by default.

    
    You need to restart the server for this to take effect.

    
    ### Disable SSLv3 in favor of TLSv1.1(or higher) in 389
    Administration Server

    
    -   Stop the Admin Server

    -   Edit /etc/dirsrv/admin-serv/console.conf

    
            Change: NSSProtocol SSLv3,TLSv1

            To:     NSSProtocol TLSv1.1

    
    -   Start the Admin server

    
    ### Enforce TLS verson range in the console

    
    Edit the console preferences file and add the following lines:

    
        # vi ~/.389-console/Console.1.1.12.Login.preferences

    
        sslVersionMin: TLS1.1

        sslVersionMax: TLS1.2

    
    ### Verify SSLv3 is Disabled

    
    You can use the openssl client tool to verify the SSL Handshake does
    NOT take place.

    
        openssl s_client -connect hostname:389 -ssl3   # DS Port

        openssl s_client -connect hostname:636 -ssl3   # DS Secure Port

        openssl s_client -connect hostname:9830 -ssl3  # Admin Server
    Port

    
    For more information see
    <https://access.redhat.com/articles/1232123>

    
    There is also a script available from the above link that will run
    the openssl client tool and verify the SSL3 status for you.

    
              Can anyone tell me how to disable SSLv3 so I can protect
              against Poodle?

              
            This seems like it would be the right article, if I could
            only access it:

            http://directory.fedoraproject.org/docs/389ds/howto/howto-disable-sslv3.html

            
            "503 Service Unavailable
              No server is available to handle this request. "

            
          Thank you for your time.

        
        -Derek

        
      --
389-users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx

    
--
389-users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx