Re: Disabling SSLv3 Issues
Thank you very much! I used olcTLSProtocolMin: 3.2 olcTLSCipherSuite: HIGH:MEDIUM:!ADH:!MD5:!RC4 And that seems to have fixed my issues! ___ Dustin Lemp Systems Analyst Jefferson College 636-481-3477 On Wed, Feb 22, 2017 at 12:32 AM, Martin Schuster (IFKL IT OS DC CD) < martin.schust...@infineon.com> wrote: > I'm not sure how this is handled by Apache Directory, but usually there > are 2 different settings you mustn't confuse: > > CipherSuite selects the available /ciphers/; there are a lot of "SSL3" > ciphers that are still okay to use. If you disable all of them, it's > quite possible that clients can't connect anymore. > Try "openssl ciphers -v SSLv3" to get a list. > > There should also be another setting to control the minimum protocol > level ("olcTLSProtocolMin" for OpenLDAP, "SSLProtocol" for Apache > httpd). This allows you to disable e.g. SSLv3 and below, it is the one > you need to change! > > hth, cheers, > -- > Infineon Technologies IT-Services GmbH martin.schust...@infineon.com > Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster > FB: LG Klagenfurt, FN 246787y +43 5 1777 3517 >
Re: Disabling SSLv3 Issues
I'm not sure how this is handled by Apache Directory, but usually there are 2 different settings you mustn't confuse: CipherSuite selects the available /ciphers/; there are a lot of "SSL3" ciphers that are still okay to use. If you disable all of them, it's quite possible that clients can't connect anymore. Try "openssl ciphers -v SSLv3" to get a list. There should also be another setting to control the minimum protocol level ("olcTLSProtocolMin" for OpenLDAP, "SSLProtocol" for Apache httpd). This allows you to disable e.g. SSLv3 and below, it is the one you need to change! hth, cheers, -- Infineon Technologies IT-Services GmbH martin.schust...@infineon.com Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster FB: LG Klagenfurt, FN 246787y +43 5 1777 3517
Re: Disabling SSLv3 Issues
Hi, what version are you using ? What Java version are you using ? Do you have any log on the server ? Le 21/02/2017 à 21:54, Lemp, Dustin a écrit : > Hey all, > I have a question and hope that someone here can help me out. I'm trying to > disable sslv3 on my openldap server. I'm adding "olcTLSCipherSuite: > SECURE256:-VERS-SSL3.0" to my ssl config file. This fixes everything > security-wise, but now I can't connect via ApacheDS. I'm still trying to > connect via ldaps on port 636. Any ideas? > > Thanks! > ___ > Dustin Lemp > Systems Analyst > Jefferson College > 636-481-3477 > -- Emmanuel Lecharny Symas.com directory.apache.org
Disabling SSLv3 Issues
Hey all, I have a question and hope that someone here can help me out. I'm trying to disable sslv3 on my openldap server. I'm adding "olcTLSCipherSuite: SECURE256:-VERS-SSL3.0" to my ssl config file. This fixes everything security-wise, but now I can't connect via ApacheDS. I'm still trying to connect via ldaps on port 636. Any ideas? Thanks! ___ Dustin Lemp Systems Analyst Jefferson College 636-481-3477