How to disable SSLv3 in Red Hat Directory Server 9 ?
Environment
- Red Hat Enterprise Linux 6
- Red Hat Directory Server 9
Issue
- Need to disable SSLv3 and use TLSv1 instead
Resolution
-
Stop Directory Server with the command: service dirsrv stop
-
Edit dse.ldif file in /etc/dirsrv/slapd-(instance name)/
-
Look for entry dn: cn=encryption,cn=config
-
Set the following attributes and values on the mentioned entry:
nsSSL2: off
nsSSL3: off
nsTLS1: on -
Start Directory Server with the command: service dirsrv start
Root Cause
- See article POODLE: SSLv3 vulnerability (CVE-2014-3566)
Diagnostic Steps
- You can find in POODLE: SSLv3 vulnerability (CVE-2014-3566) the way to determine vulnerability
- You may use the openssl command line tool to verify that SSLv3 is disabled:
# echo "exit" |openssl s_client -ssl3 -connect localhost:636
If SSLv3 is enabled, you will see text similar to the following at the end of the command output :
SSL handshake has read 2056 bytes and written 307 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES128-SHA
Session-ID: 10F8C3B3B3A0C78397E87EECCA09A4FC0D1B2DB9F47C212EA4AB5292E18CB6XYZ
Session-ID-ctx:
Master-Key: 9224CC915F5E893A1295A4838B350779B3A3A3F64E195BDB371E9DBCC154DC31305C7810F6D11F1096D1ECF49A890XYZ
Key-Arg : None
Krb5 Principal: None
Start Time: 1414690450
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
DONE
If SSLv3 is disabled, the following output will be shown:
CONNECTED(00000003)
4729:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:281:
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments