2014-10-19 15:36 GMT+02:00 Howard Chu <[email protected]>: > Joe Friedeggs wrote: > >> Pardon my ignorance on the subject, but I need to understand this: >> >> > You've probably all heard about this "new" attack several times by >> now. Just >> > to confirm what's already been stated - this attack only affects HTTP >> browsers >> > that deliberately break the TLS handshake protocol to allow using >> older SSL >> > versions. It does not affect LDAP software at all. >> >> Isn't this configurable? With the following: >> >> TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv3:RSA >> >> doesn't this allow SSLv3? >> > > Yes. > > To secure against POODLE, don't we need to remove >> the SSLv3? >> > > No. In the standard TLS handshake protocol, if both sides support TLSv1, > it's not possible to downgrade to SSLv3. The POODLE attack only exists > because web browsers intentionally break the standard TLS handshake > protocol.
Or more commonly because some equipment (a firewall, most of the time) closes the connection at both ends, and the browser retries the connection with a protocol downgrade. Web browsers don't intentionally break the handshake, they try to adapt to various servers+networks environments to get the resource desired by the end user. -- Erwann.
