7.2. Disabling SSL and Requiring TLS

TLS is enabled in the nsTLS1 parameter, which is enabled by default.
By default, SSLv3[2] is also enabled. If both TLS and SSLv3 are enabled, then a client can use either protocol to connect to the Directory Server. In some environments, SSLv3 should be disabled so that only TLSv1 connections are allowed.
In the Directory Server configuration, SSLv3 is enabled in the nsSSL3 parameter. There are two ways to change the value of this setting and disable SSLv3:
  • Change the nsSSL3 attribute to off. The SSLv3 attribute must be explicitly set to off; if the parameter is missing or has any other value, SSLv3 is implicitly enabled.
    For example:
    [root@server ~]# ldapmodify -D "cn=directory manager" -W -x -D "cn=directory manager" -w secret -p 636 -h server.example.com -x
    dn: cn=encryption,cn=config
    changetype: modify
    replace: nsSSL3
    nsSSL3: off
  • Use modutil to enable FIPS mode, which automatically disables SSLv3. If FIPS mode is enabled, it overrides whatever the nsSSL3 attribute is in order to disable SSLv3. For example:
    modutil -dbdir /etc/dirsrv/slapd-instance_name -chkfips true
    FIPS mode enabled.
    Enabling FIPS mode may have other security and configuration implications, however, so it may be easier to disable the SSLv3 parameter.

[2] While SSLv2 can be enabled, SSLv2 is disabled by default in Directory Server and generally does not need to be enabled.