Google
  Web www.spinics.net

Re: [389-users] Remediating Encryption Levels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi Gerrard,

here is what we do to disable the weak encryptions :


Admin server :
dn: cn=encryption, cn=configuration, cn=admin-serv-ldap-<id>, cn=389
administration server, cn=server
group,cn=ldap-<id>.example.com,ou=example.com,o=netscaperoot

nsSSL2: off
nsSSL3: on
nsSSL2Ciphers: -des,-rc2export,-rc4export,-desede3,-rc4,-rc2
nsSSL3Ciphers: -rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,-rsa_rc4_40_md5,
 +fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5



389 Server :
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,+rsa_des_sha,
 +rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,
 +fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,
 -rc4,-rc4export,-rc2,-rc2export,-des,-desede3



I think it is possible to disable these algorithmes via console but i
have not tried...

@+

2011/2/16 Gerrard Geldenhuis <Gerrard.Geldenhuis@xxxxxxxxxxx>:
> Hi
> I am currently testing this but would like to double up my testing with any other experiences in the list.
>
> A security scan has shown my test LDAP server to be vulnerable to weak SSL encryption. I have turned off all encryption levels below 128 bits in the Cipher Preference Dialog box for both the admin and dirsrv.
>
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


[Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Home]     [Fedora Tools]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat 9 Bible]     [Red Hat 9]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

Add to Google