On 10/15/2014 12:34 PM, Michael Gettes wrote:
Hi David (et al),
what is the right way to do this in the DS? (i am on 1.2.11.32)
i see under cn=config there is cn=encryption and there are
nsSSL3Ciphers and nsSSLSupportCiphers (lots of these). The
documentation just shows the simple on/off for SSL/TLS.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_SSL-Setting_Security_Preferences.html
and
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsssl3ciphers
and
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsSSL2
and
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsSSL3
and
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsTLS1
You might be able to just set nsSSL2: off and nsSSL3: off and nsTLS1: on
For me, my admin server has SSL on but it is behind a firewall so I am
not concerned with adjusting it.
Thanks for pointers.
/mrg
On Oct 15, 2014, at 12:12 PM, David Boreham <[email protected]
<mailto:[email protected]>> wrote:
On 10/15/2014 8:16 AM, Jan Tomasek wrote:
is http://poodlebleed.com/ related to 389? I think it is, this is
not implementation flaw in OpenSSL, this seems to be related to the
SSLv3 design.
From
http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
:
Is it relevant for HTTPS only or also for IMAP/SMTP/OpenVPN and
other protocols with SSL support?
The current attack vector as shown by the researchers works with
controlling the plaintext sent to the server using Javascript being
run on the victim's machine. This vector does not apply to non-HTTPS
scenarios without using a browser.
Also, normally an SSL client doesn't allow the session to be
downgraded to SSLv3 (having TLSv1+ seen in the handshake
capabilities), but browsers want to be very backward compatible and
the do. The combination with controlling plaintext and the specific
way a HTTP header is built up makes it exploitable.
Conclusion: disable SSLv3 for HTTPS*now*, disable SSLv3 for other
services in your next service window.
--
389 users mailing list
[email protected]
<mailto:[email protected]>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
