Hi David (et al), what is the right way to do this in the DS? (i am on 1.2.11.32)
i see under cn=config there is cn=encryption and there are nsSSL3Ciphers and nsSSLSupportCiphers (lots of these). The documentation just shows the simple on/off for SSL/TLS. For me, my admin server has SSL on but it is behind a firewall so I am not concerned with adjusting it. Thanks for pointers. /mrg On Oct 15, 2014, at 12:12 PM, David Boreham <[email protected]> wrote: > On 10/15/2014 8:16 AM, Jan Tomasek wrote: >> is http://poodlebleed.com/ related to 389? I think it is, this is not >> implementation flaw in OpenSSL, this seems to be related to the SSLv3 >> design. > From > http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566 > : > > Is it relevant for HTTPS only or also for IMAP/SMTP/OpenVPN and other > protocols with SSL support? > The current attack vector as shown by the researchers works with controlling > the plaintext sent to the server using Javascript being run on the victim's > machine. This vector does not apply to non-HTTPS scenarios without using a > browser. > > Also, normally an SSL client doesn't allow the session to be downgraded to > SSLv3 (having TLSv1+ seen in the handshake capabilities), but browsers want > to be very backward compatible and the do. The combination with controlling > plaintext and the specific way a HTTP header is built up makes it exploitable. > > Conclusion: disable SSLv3 for HTTPS now, disable SSLv3 for other services in > your next service window. > > > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
