[389-users] How relevant is Poodlebleed Bug to 389?
Paul Tobias
paul.tobias at geonomics.com
Fri Oct 17 08:55:34 UTC 2014
You probably want to disable SSLv3 on the admin server too. Add the
following line to /etc/dirsrv/admin-serv/console.conf:
NSSProtocol TLSv1.0,TLSv1.1
Documentation here:
https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html
Regarding the directory server, I didn't find "nsTLS1" under
cn=encryption,cn=config, but setting "nsSSL3: off" did the trick, the
openldap command line tools, the 389ds-console and sssd still works. (We
have "nsslapd-minssf: 128" in cn=config).
You can test like this:
openssl s_client -connect hostname:389 -ssl3
openssl s_client -connect hostname:636 -ssl3
openssl s_client -connect hostname:9830 -ssl3
If the above commands says something like:
140183413589832:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:
New, (NONE), Cipher is (NONE)
Then SSLv3 is disabled.
If the s_client output looks like this:
New, TLSv1/SSLv3, Cipher is AES128-SHA
and it's waiting for input, then SSLv3 is enabled!
Have a nice day,
Paul
On 2014-10-15 20:20, Rich Megginson wrote:
> On 10/15/2014 12:34 PM, Michael Gettes wrote:
>> Hi David (et al),
>>
>> what is the right way to do this in the DS? (i am on 1.2.11.32)
>>
>> i see under cn=config there is cn=encryption and there are
>> nsSSL3Ciphers and nsSSLSupportCiphers (lots of these). The
>> documentation just shows the simple on/off for SSL/TLS.
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_SSL-Setting_Security_Preferences.html
> and
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsssl3ciphers
> and
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsSSL2
> and
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsSSL3
> and
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnencryption-nsTLS1
>
> You might be able to just set nsSSL2: off and nsSSL3: off and nsTLS1: on
>>
>> For me, my admin server has SSL on but it is behind a firewall so I am
>> not concerned with adjusting it.
>>
>> Thanks for pointers.
>>
>> /mrg
>>
>> On Oct 15, 2014, at 12:12 PM, David Boreham <david_list at boreham.org
>> <mailto:david_list at boreham.org>> wrote:
>>
>>> On 10/15/2014 8:16 AM, Jan Tomasek wrote:
>>>> is http://poodlebleed.com/ related to 389? I think it is, this is
>>>> not implementation flaw in OpenSSL, this seems to be related to the
>>>> SSLv3 design.
>>> From
>>> http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
>>> :
>>>
>>>
>>> Is it relevant for HTTPS only or also for IMAP/SMTP/OpenVPN and
>>> other protocols with SSL support?
>>>
>>> The current attack vector as shown by the researchers works with
>>> controlling the plaintext sent to the server using Javascript being
>>> run on the victim's machine. This vector does not apply to non-HTTPS
>>> scenarios without using a browser.
>>>
>>> Also, normally an SSL client doesn't allow the session to be
>>> downgraded to SSLv3 (having TLSv1+ seen in the handshake
>>> capabilities), but browsers want to be very backward compatible and
>>> the do. The combination with controlling plaintext and the specific
>>> way a HTTP header is built up makes it exploitable.
>>>
>>> Conclusion: disable SSLv3 for HTTPS *now*, disable SSLv3 for other
>>> services in your next service window.
>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> <mailto:389-users at lists.fedoraproject.org>
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
More information about the 389-users
mailing list