Joe Friedeggs wrote:
Pardon my ignorance on the subject, but I need to understand this:
You've probably all heard about this "new" attack several times by now. Just to confirm what's already been stated - this attack only affects HTTP browsers that deliberately break the TLS handshake protocol to allow using older SSL versions. It does not affect LDAP software at all.
Isn't this configurable? With the following:
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv3:RSA
doesn't this allow SSLv3?
Yes.
To secure against POODLE, don't we need to remove the SSLv3?
No. In the standard TLS handshake protocol, if both sides support TLSv1, it's not possible to downgrade to SSLv3. The POODLE attack only exists because web browsers intentionally break the standard TLS handshake protocol.
Also, since version 2.4.14 (released February 2009), OpenLDAP has supported TLSProtocolMin slapd config and LDAP_TLS_PROTOCOL_MIN client config directives for selecting the minimum version of SSL/TLS to allow. As this feature has been available for over 5 years there is no reason for any OpenLDAP deployments to be using SSLv3 today.