Show Table of Contents
7.2. Disabling SSL and Requiring TLS
TLS is enabled in the
nsTLS1 parameter, which is enabled by default.
By default, SSLv3[2] is also enabled. If both TLS and SSLv3 are enabled, then a client can use either protocol to connect to the Directory Server. In some environments, SSLv3 should be disabled so that only TLSv1 connections are allowed.
In the Directory Server configuration, SSLv3 is enabled in the
nsSSL3 parameter. There are two ways to change the value of this setting and disable SSLv3:
- Change the
nsSSL3attribute to off. The SSLv3 attribute must be explicitly set to off; if the parameter is missing or has any other value, SSLv3 is implicitly enabled.For example:[root@server ~]# ldapmodify -D "cn=directory manager" -W -x -D "cn=directory manager" -w secret -p 636 -h server.example.com -x dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: off
- Use
modutilto enable FIPS mode, which automatically disables SSLv3. If FIPS mode is enabled, it overrides whatever thensSSL3attribute is in order to disable SSLv3. For example:modutil -dbdir /etc/dirsrv/slapd-instance_name
-chkfips trueFIPS mode enabled.Enabling FIPS mode may have other security and configuration implications, however, so it may be easier to disable the SSLv3 parameter.
[2]
While SSLv2 can be enabled, SSLv2 is disabled by default in Directory Server and generally does not need to be enabled.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.