TLS is enabled in the
nsTLS1 parameter, which is enabled by default.
By default, SSLv3 is also enabled. If both TLS and SSLv3 are enabled, then a client can use either protocol to connect to the Directory Server. In some environments, SSLv3 should be disabled so that only TLSv1 connections are allowed.
In the Directory Server configuration, SSLv3 is enabled in the
nsSSL3 parameter. There are two ways to change the value of this setting and disable SSLv3:
nsSSL3 attribute to off. The SSLv3 attribute must be explicitly set to off; if the parameter is missing or has any other value, SSLv3 is implicitly enabled.
[root@server ~]# ldapmodify -D "cn=directory manager" -W -x -D "cn=directory manager" -w secret -p 636 -h server.example.com -x
modutil to enable FIPS mode, which automatically disables SSLv3. If FIPS mode is enabled, it overrides whatever the
nsSSL3 attribute is in order to disable SSLv3. For example:
modutil -dbdir /etc/dirsrv/slapd-instance_name
FIPS mode enabled.
Enabling FIPS mode may have other security and configuration implications, however, so it may be easier to disable the SSLv3 parameter.