Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 4. Updating the list of ciphers Directory Server supports

To establish an encrypted connection, both Directory Server and the client need at least one common cipher. For example, if a legacy application requires a cipher that is not enabled by default in Directory Server, you can enable it.

4.1. The difference between default ciphers and available ciphers
Copiar enlace

Instead of listing individual ciphers in the configuration, you can use one of the following keywords in the nsSSL3Ciphers parameter:

  • default: Refers to the default ciphers enabled in the network security services (NSS). To display the list, enter: 

    # /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"

    The default keyword is the default value of the nsSSL3Ciphers parameter.

  • all: Refers to all supported ciphers in Directory Server. To display the list, enter: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --supported

    Use the all keyword when you want to enable only specific ciphers. For example, setting nsSSL3Ciphers to -all,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 configures Directory Server to disable all ciphers and enable only TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

4.2. Weak ciphers
Copiar enlace

By default, Directory Server rejects weak ciphers and you must configure Directory Server to support them.

Ciphers are considered weak, if:

  • They are exportable.

    Exportable ciphers are labeled EXPORT in the cipher name. For example, in TLS_RSA_EXPORT_WITH_RC4_40_MD5.

  • They are symmetrical and weaker than the 3DES algorithm.

    Symmetrical ciphers use the same cryptographic keys for both encryption and decryption.

  • The key length is shorter than 128 bits.

4.3. Setting ciphers Directory Server supports using the command line
Copiar enlace

To update the list of supported ciphers in Directory Server, update the nsSSL3Ciphers parameter.

Prerequisites

  • You enabled TLS encryption in Directory Server.

Procedure

  1. Display the list of enabled ciphers: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --enabled

  2. If you need to enable weak ciphers, enter: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security set --allow-insecure-ciphers on

  3. Update the nsSSL3Ciphers parameter. For example, to enable only the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers, enter: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers set -- "-all,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

    Use -- to avoid that the shell interprets the - character in -all as an option to the command. Do not use a \ character to escape -all because it can create an error and this results in a different cipher selection.

  4. Restart the instance: 

    # dsctl instance_name restart

Verification

  • Display the list of enabled ciphers: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list
default
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

4.4. Setting ciphers Directory Server supports using the web console
Copiar enlace

You can configure the cipher settings in the Cipher Preferences menu of the Directory Server web console.

Prerequisites

  • You enabled TLS encryption in Directory Server.
  • You are logged in to the instance in the web console.

Procedure

  1. If you need to enable weak ciphers:

    1. Navigate to Server Security Security Configuration.
    2. Select Allow Weak Ciphers.
    3. Click Save Settings.
  2. Navigate to Server Security Cipher Preferences.

  3. Update the cipher settings. For example, to enable only the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers:

    1. Select No Ciphers in the Cipher Suite field.
    2. Enter TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 in the Allow Specific Ciphers field.
  4. Click Save Settings.
  5. Click Actions Restart Instance.

Verification

  • Navigate to Server Security Cipher Preferences. The Enabled Ciphers list displays the ciphers that are enabled.
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba