[Date Prev][Date Next] [Chronological] [Thread] [Top]

POODLE SSLv3 downgrade attack

To: OpenLDAP Technical <openldap-technical@OpenLDAP.org>
Subject: POODLE SSLv3 downgrade attack
From: Howard Chu <hyc@symas.com>
Date: Fri, 17 Oct 2014 09:40:17 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 SeaMonkey/2.27a1

You've probably all heard about this "new" attack several times by now. Justto confirm what's already been stated - this attack only affects HTTP browsersthat deliberately break the TLS handshake protocol to allow using older SSLversions. It does not affect LDAP software at all.

Also, since version 2.4.14 (released February 2009), OpenLDAP has supportedTLSProtocolMin slapd config and LDAP_TLS_PROTOCOL_MIN client config directivesfor selecting the minimum version of SSL/TLS to allow. As this feature hasbeen available for over 5 years there is no reason for any OpenLDAPdeployments to be using SSLv3 today.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- RE: POODLE SSLv3 downgrade attack
  - From: Joe Friedeggs <friedeggs44@hotmail.com>

Prev by Date: Re: Q: accesslog and sessions
Next by Date: Re: [LMDB] some few questions
Index(es):
- Chronological
- Thread