Red Hat SummitChapter 4. Updating the list of ciphers Directory Server supports
To establish an encrypted connection, both Directory Server and the client need at least one common cipher. For example, if a legacy application requires a cipher that is not enabled by default in Directory Server, you can enable it.
4.1. The difference between default ciphers and available ciphers
Instead of listing individual ciphers in the configuration, you can use one of the following keywords in the nsSSL3Ciphers parameter:
default: Refers to the default ciphers enabled in the network security services (NSS). To display the list, enter:/usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"
# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"Copy to Clipboard Copied! Toggle word wrap Toggle overflow The
defaultkeyword is the default value of thensSSL3Ciphersparameter.all: Refers to all supported ciphers in Directory Server. To display the list, enter:dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --supported
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --supportedCopy to Clipboard Copied! Toggle word wrap Toggle overflow Use the
allkeyword when you want to enable only specific ciphers. For example, settingnsSSL3Ciphersto-all,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384configures Directory Server to disable all ciphers and enable onlyTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
4.2. Weak ciphers
By default, Directory Server rejects weak ciphers and you must configure Directory Server to support them.
Ciphers are considered weak, if:
They are exportable.
Exportable ciphers are labeled
EXPORTin the cipher name. For example, inTLS_RSA_EXPORT_WITH_RC4_40_MD5.They are symmetrical and weaker than the
3DESalgorithm.Symmetrical ciphers use the same cryptographic keys for both encryption and decryption.
- The key length is shorter than 128 bits.
4.3. Setting ciphers Directory Server supports using the command line
To update the list of supported ciphers in Directory Server, update the nsSSL3Ciphers parameter.
Prerequisites
- You enabled TLS encryption in Directory Server.
Procedure
Display the list of enabled ciphers:
dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --enabled
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --enabledCopy to Clipboard Copied! Toggle word wrap Toggle overflow If you need to enable weak ciphers, enter:
dsconf -D "cn=Directory Manager" ldap://server.example.com security set --allow-insecure-ciphers on
# dsconf -D "cn=Directory Manager" ldap://server.example.com security set --allow-insecure-ciphers onCopy to Clipboard Copied! Toggle word wrap Toggle overflow Update the
nsSSL3Ciphersparameter. For example, to enable only theTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384andTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ciphers, enter:dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers set -- "-all,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers set -- "-all,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Use
--to avoid that the shell interprets the-character in-allas an option to the command. Do not use a\character to escape-allbecause it can create an error and this results in a different cipher selection.Restart the instance:
dsctl instance_name restart
# dsctl instance_name restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Display the list of enabled ciphers:
dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list default +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.4. Setting ciphers Directory Server supports using the web console
You can configure the cipher settings in the Cipher Preferences menu of the Directory Server web console.
Prerequisites
- You enabled TLS encryption in Directory Server.
- You are logged in to the instance in the web console.
Procedure
If you need to enable weak ciphers:
-
Navigate to
. -
Select
Allow Weak Ciphers. -
Click
Save Settings.
-
Navigate to
-
Navigate to
. Update the cipher settings. For example, to enable only the
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384andTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ciphers:-
Select
No Ciphersin theCipher Suitefield. -
Enter
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384in theAllow Specific Ciphersfield.
-
Select
- Click .
-
Click
.
Verification
-
Navigate to
. The Enabled Cipherslist displays the ciphers that are enabled.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}