2014-10-19 15:36 GMT+02:00 Howard Chu hyc@symas.com:
Joe Friedeggs wrote:
Pardon my ignorance on the subject, but I need to understand this:
You've probably all heard about this "new" attack several times by
now. Just
to confirm what's already been stated - this attack only affects HTTP
browsers
that deliberately break the TLS handshake protocol to allow using
older SSL
versions. It does not affect LDAP software at all.
Isn't this configurable? With the following:
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv3:RSA
doesn't this allow SSLv3?
Yes.
To secure against POODLE, don't we need to remove
the SSLv3?
No. In the standard TLS handshake protocol, if both sides support TLSv1, it's not possible to downgrade to SSLv3. The POODLE attack only exists because web browsers intentionally break the standard TLS handshake protocol.
Or more commonly because some equipment (a firewall, most of the time) closes the connection at both ends, and the browser retries the connection with a protocol downgrade. Web browsers don't intentionally break the handshake, they try to adapt to various servers+networks environments to get the resource desired by the end user.