Preventing the use of weak SSL cipher suites
You can restrict the use of weak SSL cipher suites for strengthening security as needed, by setting the ssl-protocol and ssl-cipher-suite properties to include only the protocols or cipher suites you want to use for the particular connection handler or connector.
The available protocols and cipher suites you can use depend on what is supported by your JVM. You should upgrade your JVM and/or install the Oracle® Java® JCE unlimited strength jars to use stronger ciphers. These jars can be downloaded from the following link for Java 8 and earlier: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. Java 9 and later uses the unlimited policy files by default.
To list the currently supported protocols and cipher suites, read the supportedTLSProtocols and supportedTLSCiphers attributes of the root DSE. For example:
$ ./ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
See Administration Guide › To List Protocols and Cipher Suites for further information.
The DS/OpenDJ command line tools like dsconfig and dsreplication communicate with the DS/OpenDJ server using the administration connection handler, which by default listens on all network interfaces on port 4444, and uses LDAPS. You should reconfigure the administration connection handler to remove the weak cipher suites and strengthen security as needed.
See How do I prevent the use of weak SSL cipher suites on DS/OpenDJ (All versions) administration port? for further information.
The replication connector uses the Crypto Manager for its SSL configuration. You should reconfigure the Crypto Manager to remove the weak cipher suites and strengthen security as needed.
See How do I prevent the use of weak SSL cipher suites on DS/OpenDJ (All versions) replication port? for further information.
Connection handlers are all configured in the same way using the dsconfig set-connection-handler-prop command. The only thing that changes is the handler-name option.
The three connection handlers you should be concerned with are:
- HTTP - this handler provides access to directory data over HTTP, including via the REST API.
- LDAP - this handler provides secure connections from client applications using StartTLS .
- LDAPS - this handler provides secure connections from client applications using LDAPS (LDAP/SSL).
See Administration Guide › To Restrict Protocols and Cipher Suites for information on configuring connection handlers to remove weak cipher suites and strengthen security as needed.
Related Issue Tracker IDs