Pardon my ignorance on the subject, but I need to understand this: > You've probably all heard about this "new" attack several times by now. Just > to confirm what's already been stated - this attack only affects HTTP > browsers > that deliberately break the TLS handshake protocol to allow using older SSL > versions. It does not affect LDAP software at all.
Isn't this configurable? With the following: TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv3:RSA doesn't this allow SSLv3? To secure against POODLE, don't we need to remove the SSLv3? > > Also, since version 2.4.14 (released February 2009), OpenLDAP has supported > TLSProtocolMin slapd config and LDAP_TLS_PROTOCOL_MIN client config > directives > for selecting the minimum version of SSL/TLS to allow. As this feature has > been available for over 5 years there is no reason for any OpenLDAP > deployments to be using SSLv3 today. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
