7.9. Setting Encryption Ciphers

The Directory Server supported several different ciphers, and the type of ciphers to use for TLS/SSL communications are set by the user. A cipher is the algorithm used in encryption. Some ciphers are more secure, or stronger, than others. Generally speaking, the more bits a cipher uses during encryption, the more difficult it is to decrypt the key.
When a client initiates an TLS/SSL connection with a server, the client tells the server what ciphers it prefers to use to encrypt information. In any two-way encryption process, both parties must use the same ciphers. There are a number of ciphers available. The server needs to be able to use the ciphers that will be used by client applications connecting to the server.

7.9.1. Available Ciphers

This section lists information about the available ciphers for Directory Server encryption. Each cipher has the following information:
  • Directory Server name. The name of the cipher suite used when configuring the Directory Server. The Directory Server uses this name both internally and in the Directory Server Console.
  • Key exchange. The key exchange algorithm. DHE stands for Diffie-Hellman; DSS stands for Digital Signature Standard. The 1024 bit ciphers are lower strength ciphers formerly used for export control.
  • Encryption Algorithm. AES stands for the Advanced Encryption Standard. DES stands for Data Encryption Standard.
  • Symmetric Key Bit Size. The size in bits of the key used for the actual transport data encryption.
  • Message Authentication. SHA stands for Secure Hash Algorithm.

Note

Directory Server supports ciphers for TLSv1 (recommended) and SSLv3. SSLv2 support is deprecated and not enabled by default in Directory Server.
To get a list of ciphers supported by the available version of the crypto library:
$ ldapsearch -xLLL -H ldap://localhost:389 -D "cn=Directory Manager" -W \
     -b 'cn=encryption,cn=config' -s base nsSSLSupportedCiphers -o ldif-wrap=no

dn: cn=encryption,cn=config
nsSSLSupportedCiphers: TLS::tls_rsa_aes_256_sha::AES::SHA1::256
nsSSLSupportedCiphers: TLS::rsa_aes_256_sha::AES::SHA1::256
...
To get a list of ciphers currently configured in cn=encryption,cn=config by the nsSSL3Ciphers parameter:
$ ldapsearch -xLLL -H ldap://localhost:389 -D "cn=Directory Manager" -W \
     -b 'cn=encryption,cn=config' -s base nsSSLEnabledCiphers -o ldif-wrap=no

dn: cn=encryption,cn=config
nssslenabledciphers: TLS::tls_dhe_dss_aes_256_sha::AES::SHA1::256
nssslenabledciphers: TLS::tls_dhe_rsa_aes_256_sha::AES::SHA1::256
...

7.9.2. Selecting the Encryption Cipher

  1. Make sure TLS/SSL is enabled for the server. For instructions on enabling TLS/SSL, see Section 7.4, “Setting up TLS/SSL”.
  2. Select the Configuration tab, and then select the topmost entry in the navigation tree in the left pane.
  3. Select the Encryption tab in the right pane.
  4. Click the Cipher Setting button.
  5. In the Cipher Preference dialog box, specify which ciphers for the Directory Server to use by selecting them from the list, and click OK.
    By default, ALL in the TLS tab is selected. When ALL is set, the server selects safe ciphers internally.

    Warning

    Avoid selecting the none,MD5 cipher because the server will use this option if no other ciphers are available on the client, instead of refusing the connection. The none,MD5 cipher is not secure because encryption does not occur.