[389-users] Remediating Encryption Levels
Andrey Ivanov
andrey.ivanov at polytechnique.fr
Wed Feb 16 16:13:45 UTC 2011
Hi Gerrard,
here is what we do to disable the weak encryptions :
Admin server :
dn: cn=encryption, cn=configuration, cn=admin-serv-ldap-<id>, cn=389
administration server, cn=server
group,cn=ldap-<id>.example.com,ou=example.com,o=netscaperoot
nsSSL2: off
nsSSL3: on
nsSSL2Ciphers: -des,-rc2export,-rc4export,-desede3,-rc4,-rc2
nsSSL3Ciphers: -rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,-rsa_rc4_40_md5,
+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5
389 Server :
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,+rsa_des_sha,
+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,
+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,
-rc4,-rc4export,-rc2,-rc2export,-des,-desede3
I think it is possible to disable these algorithmes via console but i
have not tried...
@+
2011/2/16 Gerrard Geldenhuis <Gerrard.Geldenhuis at betfair.com>:
> Hi
> I am currently testing this but would like to double up my testing with any other experiences in the list.
>
> A security scan has shown my test LDAP server to be vulnerable to weak SSL encryption. I have turned off all encryption levels below 128 bits in the Cipher Preference Dialog box for both the admin and dirsrv.
>
More information about the 389-users
mailing list