How do I disable TLS 1.0 and TLS 1.1 in DS (All versions)?
The purpose of this article is to provide information on disabling TLS 1.0 and TLS 1.1 in DS. These protocols have been deprecated by the Internet Engineering Task Force (IETF) and are considered insecure.
Overview
The TLS 1.0 and 1.1 protocols have been deprecated by IETF and are considered insecure due to known vulnerabilities and lack of support for the latest cipher suites.
See Deprecating TLSv1.0 and TLSv1.1 for further information.
Disabling TLS 1.0 and 1.1 in DS
You can disable TLS 1.0 and 1.1 in DS by explicitly setting the ssl-protocols allowed per connection handler. It is strongly recommended that you restrict the allowed protocols to TLSv1.2 on the following connection handlers: LDAP, LDAPS, HTTPS and the Administrator Connector.
Note
If you are using at least DS 6.5.3 and Java 11.0.6, you may also want to include TLSv1.3 as an allowed protocol. See How do I disable TLS 1.3 when running DS 6.5, 6.5.1 or 6.5.2 with Java 11.0.5 and earlier, or Java 1.8.0_272 and later? for further information about known issues.
In the following examples, you can allow TLSv1.3 in addition to TLSv1.2 by replacing --set ssl-protocol:TLSv1.2
with --set ssl-protocol:TLSv1.2 --set ssl-protocol:TLSv1.3
.
LDAP connection handler
You can restrict the allowed protocols to TLSv1.2 on the LDAP connection handler using the dsconfig command, for example:
- DS 7.1 and later: $ ./dsconfig set-connection-handler-prop --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name LDAP --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
- DS 7: $ ./dsconfig set-connection-handler-prop --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name LDAP --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
- DS 6.x: $ ./dsconfig set-connection-handler-prop --hostname ds.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name LDAP --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
LDAPS connection handler
You can restrict the allowed protocols to TLSv1.2 on the LDAPS connection handler using the dsconfig command, for example:
- DS 7.1 and later: $ ./dsconfig set-connection-handler-prop --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name LDAPS --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
- DS 7: $ ./dsconfig set-connection-handler-prop --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name LDAPS --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
- DS 6.x: $ ./dsconfig set-connection-handler-prop --hostname ds.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name LDAPS --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
HTTPS connection handler
You can restrict the allowed protocols to TLSv1.2 on the HTTPS connection handler using the dsconfig command, for example:
- DS 7.1 and later: $ ./dsconfig set-connection-handler-prop --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name HTTPS --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
- DS 7: $ ./dsconfig set-connection-handler-prop --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --handler-name HTTPS --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
- DS 6.x: $ ./dsconfig set-connection-handler-prop --hostname ds.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name HTTPS --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
Administrator Connector
You can restrict the allowed protocols to TLSv1.2 on the administrator connector using the dsconfig command, for example:
- DS 7.1 and later: $ ./dsconfig set-administration-connector-prop --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
- DS 7: $ ./dsconfig set-administration-connector-prop --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --set ssl-protocol:TLSv1.2 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
- DS 6.x: $ ./dsconfig set-administration-connector-prop --hostname ds.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --set ssl-protocol:TLSv1.2 --trustAll --no-prompt
See Also
How do I prevent the use of weak SSL cipher suites in DS (All versions)?
RFC 7525: SSL/TLS Protocol Versions
Deprecating TLSv1.0 and TLSv1.1
Related Training
N/A
Related Issue Tracker IDs
N/A