Re: POODLE: cve-2014-3566

[Noriko Hosoi <nhosoi@xxxxxxxxxx>]

Hello Derek,

The SSL range setting is supported on RHEL-7.x, but not on RHEL-6.x.

Please use "nsSSL3" and "nsTLS1" to control the SSL versions.

By default (without having nsSSL3 and nsTLS1 in cn=encryption,cn=config), the range is TLS1.0 through the highest the NSS on the system supports, e.g., TLS1.2.

Currently, there is no way to disable TLS1.0 on RHEL-6.7.  We are adding nsTLS1.0 option to allow disabling it.  But it is not ready yet.
Thanks.

On 05/03/2016 12:05 PM, Derek Belcher wrote:

Thank you for Mark.

I am getting a fail message when trying to set the SSL version range to enforce TLS1.1 through TLS1.2 When I try and replace the "sslversionmin" and "sslversionmax" I receive and error saying that the attribute is not allowed? I checked the dse.ldif to see if it was in there and it was not. So instead of doing a "replace" I tried an "add" and got the same error message.

I am obviously missing or needing something extra, but what?

 # ldapmodify -D "cn=directory manager" -W -f set_TLS_range_enforce.ldif
Enter LDAP Password:
modifying entry "cn=encryption,cn=config"
ldap_modify: Object class violation (65)
    additional info: attribute "sslversionmin" not allowed

#
# cat set_TLS_range_enforce.ldif
dn: cn=encryption,cn=config
changetype: modify
replace: sslVersionMin
sslVersionMin: TLS1.1
-
replace: sslVersionMax
sslVersionMax: TLS1.2
#
#
#
# grep "dn: cn=encryption,cn=config" /etc/dirsrv/slapd-MY-SERVER/dse.ldif -A18
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
nsTLS1: on
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20160107193818Z
modifyTimestamp: 20160503184243Z
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
 +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
 rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
 a_export1024_with_des_cbc_sha
numSubordinates: 1

#
# rpm -qa 389*
389-admin-1.1.35-1.el6.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64

Thanks for your help!!!

On Tue, May 3, 2016 at 11:25 AM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote:

On 05/03/2016 11:38 AM, Derek Belcher wrote:

The 389ds website is down.

We are currently working on getting the site back up.  The hosting service(openshift) is misbehaving, and we are waiting for assistance.

Here is the contents of that page:


# How to Disable SSLv3
--------------------------

With the recent discovery of the Poodlebleed vulnerability bug (2014/10/15), a minimum of TLS1.1 should be used instead of SSLv3.

### Disable SSLv3 in 389 Directory Server

Here is an example of how to use ldapmodify to disable SSLv3 and enable TLS

    # ldapmodify -D "cn=directory manager" -W
    dn: cn=encryption,cn=config
    changetype: modify
    replace: nsSSL2
    nsSSL2: off
    -
    replace: nsSSL3
    nsSSL3: off
    -
    replace: nsTLS1
    nsTLS1: on

Set the SSL version range to enforce TLS1.1 through TLS1.2.

    # ldapmodify -D "cn=directory manager" -W
    dn: cn=encryption,cn=config
    changetype: modify
    replace: sslVersionMin
    sslVersionMin: TLS1.1
    -
    replace: sslVersionMax
    sslVersionMax: TLS1.2

Note: If sslVersionMax is not explicitly set, the supported version by the installed NSS is applied to sslVersionMax. If sslVersionMin is not explicitly set, even if NSS supports SSL3, TLS1.0 is set to sslVersionMin, by default.

You need to restart the server for this to take effect.

### Disable SSLv3 in favor of TLSv1.1(or higher) in 389 Administration Server

-   Stop the Admin Server
-   Edit /etc/dirsrv/admin-serv/console.conf

        Change: NSSProtocol SSLv3,TLSv1
        To:     NSSProtocol TLSv1.1

-   Start the Admin server


### Enforce TLS verson range in the console

Edit the console preferences file and add the following lines:


    # vi ~/.389-console/Console.1.1.12.Login.preferences

    sslVersionMin: TLS1.1
    sslVersionMax: TLS1.2

### Verify SSLv3 is Disabled

You can use the openssl client tool to verify the SSL Handshake does NOT take place.

    openssl s_client -connect hostname:389 -ssl3   # DS Port
    openssl s_client -connect hostname:636 -ssl3   # DS Secure Port
    openssl s_client -connect hostname:9830 -ssl3  # Admin Server Port

For more information see <https://access.redhat.com/articles/1232123>

There is also a script available from the above link that will run the openssl client tool and verify the SSL3 status for you.

Can anyone tell me how to disable SSLv3 so I can protect against Poodle?

This seems like it would be the right article, if I could only access it:
http://directory.fedoraproject.org/docs/389ds/howto/howto-disable-sslv3.html

"503 Service Unavailable No server is available to handle this request. "

Thank you for your time.

-Derek

--
389-users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx

--
389-users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx

--
389-users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx

--
389-users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx