Hello Derek,
The SSL range setting is supported on RHEL-7.x, but not on RHEL-6.x.
Please use "nsSSL3" and "nsTLS1" to control the SSL versions.
By default (without having nsSSL3 and nsTLS1 in
cn=encryption,cn=config), the range is TLS1.0 through the highest the
NSS on the system supports, e.g., TLS1.2.
Currently, there is no way to disable TLS1.0 on RHEL-6.7. We are adding
nsTLS1.0 option to allow disabling it. But it is not ready yet.
Thanks.
On 05/03/2016 12:05 PM, Derek Belcher wrote:
Thank you for Mark.
I am getting a fail message when trying to set the SSL version range
to enforce TLS1.1 through TLS1.2 When I try and replace the
"sslversionmin" and "sslversionmax" I receive and error saying that
the attribute is not allowed? I checked the dse.ldif to see if it was
in there and it was not. So instead of doing a "replace" I tried an
"add" and got the same error message.
I am obviously missing or needing something extra, but what?
# ldapmodify -D "cn=directory manager" -W -f set_TLS_range_enforce.ldif
Enter LDAP Password:
modifying entry "cn=encryption,cn=config"
ldap_modify: Object class violation (65)
additional info: attribute "sslversionmin" not allowed
#
# cat set_TLS_range_enforce.ldif
dn: cn=encryption,cn=config
changetype: modify
replace: sslVersionMin
sslVersionMin: TLS1.1
-
replace: sslVersionMax
sslVersionMax: TLS1.2
#
#
#
# grep "dn: cn=encryption,cn=config"
/etc/dirsrv/slapd-MY-SERVER/dse.ldif -A18
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
nsTLS1: on
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20160107193818Z
modifyTimestamp: 20160503184243Z
nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
numSubordinates: 1
#
# rpm -qa 389*
389-admin-1.1.35-1.el6.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64
Thanks for your help!!!
On Tue, May 3, 2016 at 11:25 AM, Mark Reynolds <marey...@redhat.com
<mailto:marey...@redhat.com>> wrote:
On 05/03/2016 11:38 AM, Derek Belcher wrote:
The 389ds website is down.
We are currently working on getting the site back up. The hosting
service(openshift) is misbehaving, and we are waiting for assistance.
Here is the contents of that page:
# How to Disable SSLv3
--------------------------
With the recent discovery of the Poodlebleed vulnerability bug
(2014/10/15), a minimum of TLS1.1 should be used instead of SSLv3.
### Disable SSLv3 in 389 Directory Server
Here is an example of how to use ldapmodify to disable SSLv3 and
enable TLS
# ldapmodify -D "cn=directory manager" -W
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsTLS1
nsTLS1: on
Set the SSL version range to enforce TLS1.1 through TLS1.2.
# ldapmodify -D "cn=directory manager" -W
dn: cn=encryption,cn=config
changetype: modify
replace: sslVersionMin
sslVersionMin: TLS1.1
-
replace: sslVersionMax
sslVersionMax: TLS1.2
Note: If sslVersionMax is not explicitly set, the supported
version by the installed NSS is applied to sslVersionMax. If
sslVersionMin is not explicitly set, even if NSS supports SSL3,
TLS1.0 is set to sslVersionMin, by default.
You need to restart the server for this to take effect.
### Disable SSLv3 in favor of TLSv1.1(or higher) in 389
Administration Server
- Stop the Admin Server
- Edit /etc/dirsrv/admin-serv/console.conf
Change: NSSProtocol SSLv3,TLSv1
To: NSSProtocol TLSv1.1
- Start the Admin server
### Enforce TLS verson range in the console
Edit the console preferences file and add the following lines:
# vi ~/.389-console/Console.1.1.12.Login.preferences
sslVersionMin: TLS1.1
sslVersionMax: TLS1.2
### Verify SSLv3 is Disabled
You can use the openssl client tool to verify the SSL Handshake
does NOT take place.
openssl s_client -connect hostname:389 -ssl3 # DS Port
openssl s_client -connect hostname:636 -ssl3 # DS Secure Port
openssl s_client -connect hostname:9830 -ssl3 # Admin Server Port
For more information see
<https://access.redhat.com/articles/1232123>
<https://access.redhat.com/articles/1232123>
There is also a script available from the above link that will run
the openssl client tool and verify the SSL3 status for you.
Can anyone tell me how to disable SSLv3 so I can protect against
Poodle?
This seems like it would be the right article, if I could only
access it:
http://directory.fedoraproject.org/docs/389ds/howto/howto-disable-sslv3.html
"503 Service UnavailableNo server is available to handle this
request. "
Thank you for your time.
-Derek
--
389-users mailing list
389-users@lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389-users mailing list
389-users@lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389-users mailing list
389-users@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389-users mailing list
389-users@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
