Pardon my ignorance on the subject, but I need to understand this:
You've probably all heard about this "new" attack several times by now. Just to confirm what's already been stated - this attack only affects HTTP browsers that deliberately break the TLS handshake protocol to allow using older SSL versions. It does not affect LDAP software at all.
Isn't this configurable? With the following: TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv3:RSA doesn't this allow SSLv3? To secure against POODLE, don't we need to remove the SSLv3?
Also, since version 2.4.14 (released February 2009), OpenLDAP has supported
TLSProtocolMin slapd config and LDAP_TLS_PROTOCOL_MIN client config directives for selecting the minimum version of SSL/TLS to allow. As this feature has been available for over 5 years there is no reason for any OpenLDAP deployments to be using SSLv3 today.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/