[389-users] Remediating Encryption Levels
Gerrard Geldenhuis
Gerrard.Geldenhuis at betfair.com
Wed Feb 16 13:25:07 UTC 2011
Hi
I am currently testing this but would like to double up my testing with any other experiences in the list.
A security scan has shown my test LDAP server to be vulnerable to weak SSL encryption. I have turned off all encryption levels below 128 bits in the Cipher Preference Dialog box for both the admin and dirsrv.
I am testing whether this will have any effect on any connection within my setup that uses SSL, thus chaining, replication, console and general authentication from CentOS and Red Hat clients.
My understanding is that having those lower levels like DES 56 enabled allows such a connection but the connection encryption level will be determined by what the client initiates if supported at the server. So if the client initiates a 128bit RC4 it will be a 128bit RC4 connection. With this in mind what would be the default level of encryption if the client is "internal" to the 389DS. Thus would be the encryption level for chaining and replication and connecting to the console.
If an encryption level is not supported what is the negotiating logic to determine a working connection?
Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
More information about the 389-users
mailing list