Menu Close
Settings Close

Language and Page Formatting Options

Chapter 4. Updating the list of ciphers Directory Server supports

To establish an encrypted connection, both Directory Server and the client need at least one common cipher. For example, if a legacy application requires a cipher that is not enabled by default in Directory Server, you can enable it.

4.1. The difference between default ciphers and available ciphers

Instead of listing individual ciphers in the configuration, you can use one of the following keywords in the nsSSL3Ciphers parameter:

  • default: Refers to the default ciphers enabled in the network security services (NSS). To display the list, enter:

    # /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"

    The default keyword is the default value of the nsSSL3Ciphers parameter.

  • all: Refers to all supported ciphers in Directory Server. To display the list, enter:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --supported

    Use the all keyword when you want to enable only specific ciphers. For example, setting nsSSL3Ciphers to -all,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 configures Directory Server to disable all ciphers and enable only TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

4.2. Weak ciphers

By default, Directory Server rejects weak ciphers and you must configure Directory Server to support them.

Ciphers are considered weak, if:

  • They are exportable.

    Exportable ciphers are labeled EXPORT in the cipher name. For example, in TLS_RSA_EXPORT_WITH_RC4_40_MD5.

  • They are symmetrical and weaker than the 3DES algorithm.

    Symmetrical ciphers use the same cryptographic keys for both encryption and decryption.

  • The key length is shorter than 128 bits.

4.3. Setting ciphers Directory Server supports using the command line

To update the list of supported ciphers in Directory Server, update the nsSSL3Ciphers parameter.

Prerequisites

  • You enabled TLS encryption in Directory Server.

Procedure

  1. Display the list of enabled ciphers:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list
    default

    The default keyword indicates that only the ciphers enabled in the network security services (NSS) are enabled.

  2. If you need to enable weak ciphers, enter:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security set --allow-insecure-ciphers on
  3. Update the nsSSL3Ciphers parameter. For example, to enable only the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers, enter:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers set -- "-all,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

    Use -- to avoid that the shell interprets the - character in -all as an option to the command. Do not use a \ character to escape -all because it can create an error and this results in a different cipher selection.

  4. Restart the instance:

    # dsctl instance_name restart

Verification

  • Display the list of enabled ciphers:

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list
    default
    +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

4.4. Setting ciphers Directory Server supports using the web console

You can configure the cipher settings in the Cipher Preferences menu of the Directory Server web console.

Prerequisites

  • You enabled TLS encryption in Directory Server.
  • You are logged in to the instance in the web console.

Procedure

  1. If you need to enable weak ciphers:

    1. Navigate to ServerSecuritySecurity Configuration.
    2. Select Allow Weak Ciphers.
    3. Click Save Settings.
  2. Navigate to ServerSecurityCipher Preferences.
  3. Update the cipher settings. For example, to enable only the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers:

    1. Select No Ciphers in the Cipher Suite field.
    2. Enter TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 in the Allow Specific Ciphers field.
  4. Click Save Settings.
  5. Click ActionsRestart Instance.

Verification

  • Navigate to ServerSecurityCipher Preferences. The Enabled Ciphers list displays the ciphers that are enabled.