[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: RE: POODLE SSLv3 downgrade attack

To: "Joe Friedeggs" <friedeggs44@hotmail.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>, "Howard Chu" <hyc@symas.com>
Subject: Antw: RE: POODLE SSLv3 downgrade attack
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Mon, 20 Oct 2014 08:34:28 +0200
Content-disposition: inline
In-reply-to: <BLU170-W8303CBEF13F0FA435A5765A5960@phx.gbl>
References: <5440D5F1.8050503@symas.com> <BLU170-W8303CBEF13F0FA435A5765A5960@phx.gbl>

>>> Joe Friedeggs <friedeggs44@hotmail.com> schrieb am 19.10.2014 um 15:17 in
Nachricht <BLU170-W8303CBEF13F0FA435A5765A5960@phx.gbl>:
> Pardon my ignorance on the subject, but I need to understand this:
>> You've probably all heard about this "new" attack several times by now. Just 
> 
>> to confirm what's already been stated - this attack only affects HTTP 
> browsers 
>> that deliberately break the TLS handshake protocol to allow using older SSL 
>> versions. It does not affect LDAP software at all.
> 
> Isn't this configurable?  With the following:
> TLSCipherSuite          HIGH:MEDIUM:+TLSv1:+SSLv3:RSA
> doesn't this allow SSLv3?   To secure against POODLE, don't we need to 
> remove the SSLv3?

Related question: If a slapcat of the config database doesn't show a value for TLSCipherSuite, does it mean it is some default value? Any other way to query the setting?

[...]

Regards,
Ulrich

Follow-Ups:
- Re: Antw: RE: POODLE SSLv3 downgrade attack
  - From: Michael Ströder <michael@stroeder.com>

References:
- POODLE SSLv3 downgrade attack
  - From: Howard Chu <hyc@symas.com>
- RE: POODLE SSLv3 downgrade attack
  - From: Joe Friedeggs <friedeggs44@hotmail.com>

Prev by Date: Re: Segmentation fault in s23_clnt.c when used in a library
Next by Date: Re: Antw: RE: POODLE SSLv3 downgrade attack
Index(es):
- Chronological
- Thread