CVE-2014-3566: POODLE: SSLv3 vulnerability
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.
POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It does not affect the newer encryption mechansim known as Transport Layer Security (TLS).
All 1.x, 2.x, 3.x, 4.0 and 4.1.
Disable SSLv3 in mod_nss.
/etc/httpd/conf.d/nss.conf and set
Restart the httpd service
# service httpd restart
NOTE: mod_nss only added support for TLSv1.2 in mid-October 2014 and most distributions miss it. If your distribution includes mod_nss with TLSv1.2 support, please use
Versions of TLS supported by IPA
IPA client code only supports SSLv3 and TLS v1.0 at this time.
TLSv1.1 can be enabled in mod_nss but it will not be used by the IPA command-line tools. This is being tracked in BZ 1154776
For more information see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 and https://access.redhat.com/articles/1232123