Can we disable SSLv3 and use TLS in Red Hat Directory Server 8?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Directory Server 8

Issue

  • Need to disable SSLv3 and use TLSv1
  • Went into dse.ldif in dn: cn=encryption,cn=config and set nsSSL3 to off
  • The system is still allowing SSLv3 ciphers

Resolution

Errata for DS8.2 released to resolve:

RHBA-2011-0866

For DS8 prior to 8.2, and upgrade to 8.2 is required

Root Cause

Previously, disabling the use of SSLv3 with the FIPS Mode on was not supported
so that Red Hat Directory Server had no way to explicitly disallow the use of
SSLv3 and only use TLSv1 after the FIPS mode was enabled. This update adds the
necessary support for disabling SSLv3 with the FIPS Mode on and thus fixes the
problem. (BZ#707015)

Diagnostic Steps

  • You may use the openssl command line tool to verify that SSLv3 is disabled:
  # echo "exit" |openssl s_client -ssl3 -connect localhost:636

If SSLv3 is enabled, you will see text similar to the following at the end of the command output :

SSL handshake has read 2056 bytes and written 307 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES128-SHA
    Session-ID: 10F8C3B3B3A0C78397E87EECCA09A4FC0D1B2DB9F47C212EA4AB5292E18CB6XYZ
    Session-ID-ctx: 
    Master-Key: 9224CC915F5E893A1295A4838B350779B3A3A3F64E195BDB371E9DBCC154DC31305C7810F6D11F1096D1ECF49A890XYZ
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1414690450
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
DONE

If SSLv3 is disabled, the following output will be shown:

CONNECTED(00000003)
4729:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:281:

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments