Pardon my ignorance on the subject, but I need to understand this:
> You've probably all heard about this "new" attack several times by now. Just
> to confirm what's already been stated - this attack only affects HTTP browsers
> that deliberately break the TLS handshake protocol to allow using older SSL
> versions. It does not affect LDAP software at all.
Isn't this configurable? With the following:
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv3:RSA
doesn't this allow SSLv3? To secure against POODLE, don't we need to remove the SSLv3?
>
> Also, since version 2.4.14 (released February 2009), OpenLDAP has supported
> TLSProtocolMin slapd config and LDAP_TLS_PROTOCOL_MIN client config directives
> for selecting the minimum version of SSL/TLS to allow. As this feature has
> been available for over 5 years there is no reason for any OpenLDAP
> deployments to be using SSLv3 today.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>