Re: [389-users] How relevant is Poodlebleed Bug to 389?

2014-10-17 Thread Paul Tobias
You probably want to disable SSLv3 on the admin server too. Add the following line to /etc/dirsrv/admin-serv/console.conf: NSSProtocol TLSv1.0,TLSv1.1 Documentation here: https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html Regarding the directory server, I didn't find nsTLS1

Re: [389-users] How relevant is Poodlebleed Bug to 389?

2014-10-17 Thread Rich Megginson
On 10/17/2014 02:55 AM, Paul Tobias wrote: You probably want to disable SSLv3 on the admin server too. Add the following line to /etc/dirsrv/admin-serv/console.conf: NSSProtocol TLSv1.0,TLSv1.1 Documentation here: https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html

Re: [389-users] How relevant is Poodlebleed Bug to 389?

2014-10-16 Thread Michael Gettes
update… this advice (quoted below) ended up being the simplest path to take. Please note on none of my DS was nsTLS1 an existing attribute so I had to add this attribute to the cn=encryption,cn=config object. I had to do a “service dirsrv restart” as doing a restart from console would only

[389-users] How relevant is Poodlebleed Bug to 389?

2014-10-15 Thread Jan Tomasek
Hello, is http://poodlebleed.com/ related to 389? I think it is, this is not implementation flaw in OpenSSL, this seems to be related to the SSLv3 design. I've found: http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html but new syntax with

Re: [389-users] How relevant is Poodlebleed Bug to 389?

2014-10-15 Thread Rich Megginson
On 10/15/2014 08:16 AM, Jan Tomasek wrote: Hello, is http://poodlebleed.com/ related to 389? I think it is, this is not implementation flaw in OpenSSL, this seems to be related to the SSLv3 design. I've found: http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html

Re: [389-users] How relevant is Poodlebleed Bug to 389?

2014-10-15 Thread Jan Tomasek
Hello, On 10/15/2014 04:58 PM, Rich Megginson wrote: is http://poodlebleed.com/ related to 389? I think it is, this is not implementation flaw in OpenSSL, this seems to be related to the SSLv3 design. By not commenting this, I assume that. Yes. This bug is relevant even to 389. I've

Re: [389-users] How relevant is Poodlebleed Bug to 389?

2014-10-15 Thread David Boreham
On 10/15/2014 8:16 AM, Jan Tomasek wrote: is http://poodlebleed.com/ related to 389? I think it is, this is not implementation flaw in OpenSSL, this seems to be related to the SSLv3 design. From

Re: [389-users] How relevant is Poodlebleed Bug to 389?

2014-10-15 Thread Michael Gettes
Hi David (et al), what is the right way to do this in the DS? (i am on 1.2.11.32) i see under cn=config there is cn=encryption and there are nsSSL3Ciphers and nsSSLSupportCiphers (lots of these). The documentation just shows the simple on/off for SSL/TLS. For me, my admin server has SSL on