Thank you Mark.
On Tue, May 3, 2016 at 11:25 AM, Mark Reynolds <mareynol@redhat.com> wrote:
On 05/03/2016 11:38 AM, Derek Belcher wrote:
We are currently working on getting the site back up. The hosting service(openshift) is misbehaving, and we are waiting for assistance.The 389ds website is down.
Here is the contents of that page:
# How to Disable SSLv3
--------------------------
With the recent discovery of the Poodlebleed vulnerability bug (2014/10/15), a minimum of TLS1.1 should be used instead of SSLv3.
### Disable SSLv3 in 389 Directory Server
Here is an example of how to use ldapmodify to disable SSLv3 and enable TLS
# ldapmodify -D "cn=directory manager" -W
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsTLS1
nsTLS1: on
Set the SSL version range to enforce TLS1.1 through TLS1.2.
# ldapmodify -D "cn=directory manager" -W
dn: cn=encryption,cn=config
changetype: modify
replace: sslVersionMin
sslVersionMin: TLS1.1
-
replace: sslVersionMax
sslVersionMax: TLS1.2
Note: If sslVersionMax is not explicitly set, the supported version by the installed NSS is applied to sslVersionMax. If sslVersionMin is not explicitly set, even if NSS supports SSL3, TLS1.0 is set to sslVersionMin, by default.
You need to restart the server for this to take effect.
### Disable SSLv3 in favor of TLSv1.1(or higher) in 389 Administration Server
- Stop the Admin Server
- Edit /etc/dirsrv/admin-serv/console.conf
Change: NSSProtocol SSLv3,TLSv1
To: NSSProtocol TLSv1.1
- Start the Admin server
### Enforce TLS verson range in the console
Edit the console preferences file and add the following lines:
# vi ~/.389-console/Console.1.1.12.Login.preferences
sslVersionMin: TLS1.1
sslVersionMax: TLS1.2
### Verify SSLv3 is Disabled
You can use the openssl client tool to verify the SSL Handshake does NOT take place.
openssl s_client -connect hostname:389 -ssl3 # DS Port
openssl s_client -connect hostname:636 -ssl3 # DS Secure Port
openssl s_client -connect hostname:9830 -ssl3 # Admin Server Port
For more information see <https://access.redhat.com/articles/1232123>
There is also a script available from the above link that will run the openssl client tool and verify the SSL3 status for you.
-DerekThank you for your time.This seems like it would be the right article, if I could only access it:Can anyone tell me how to disable SSLv3 so I can protect against Poodle?
http://directory.fedoraproject.org/docs/389ds/howto/howto-disable-sslv3.html
"503 Service Unavailable No server is available to handle this request. "
-- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389-users mailing list
389-users@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
No comments:
Post a Comment