How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port?
The purpose of this article is to provide administrative guidance to improve security on the DS replication channels.
1 reader recommends this article
Overview
You can restrict the list of protocols and cipher suites used by setting the ssl-protocol and ssl-cipher-suite properties for the relevant connector depending on version:
- DS 7 and later - the replication connector uses the Replication Synchronization Provider for its SSL configuration. See Improving security on DS replication channels (DS 7 and later) for further information.
- DS 6.x - the replication connector uses the Crypto Manager for its SSL configuration. See Improving security on DS replication channels (DS 6.x) for further information.
Caution
These are advanced configuration parameters; setting them incorrectly can cause replication to fail. Care should be taken to keep the configuration consistent across all servers in the replication group.
List Protocols and Cipher Suites
To list the available protocols and cipher suites, read the supportedTLSProtocols and supportedTLSCiphers attributes of the root DSE using the following command against an LDAPS connection that has default (unspecified protocol and cipher) SSL properties:
- DS 7.1 and later: $ ./ldapsearch --hostname ds.example.com --port 1636 --useSSL --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
- DS 7: $ ./ldapsearch --hostname ds.example.com --port 1636 --useSSL --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
- DS 6.x: $ ./ldapsearch --hostname ds.example.com --port 1636 --useSSL --trustAll --baseDN "" --searchScope base "(objectclass=*)" supportedTLSCiphers supportedTLSProtocols
Note
The available protocols and cipher suites you can use depend on what is supported by your JVM. You should upgrade your JVM and/or install the Oracle® Java® JCE unlimited strength jars to use stronger ciphers. These jars can be downloaded from the following link for Java 8 and earlier: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download. Java 9 and later uses the unlimited policy files by default.
Improving security on DS replication channels (DS 7 and later)
You can restrict the list of protocols and cipher suites used on the replication connector with the ssl-protocol and ssl-cipher-suite properties for Replication Synchronization Provider. For example, to restrict the cipher suites to TLS_EMPTY_RENEGOTIATION_INFO_SCSV and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, and only allow TLSv1.2, you can use the dsconfig set-synchronization-provider-prop command as shown in the following example:
You will need to restart DS if you want these changes to take effect immediately. If you don't restart DS, then these changes will only impact new SSL/TLS-based sessions created after the change.
See Replication Synchronization Provider Properties for further information.
Improving security on DS replication channels (DS 6.x)
You can restrict the list of protocols and cipher suites used on the replication connector with the ssl-protocol and ssl-cipher-suite properties for Crypto Manager. For example, to restrict the cipher suites to TLS_EMPTY_RENEGOTIATION_INFO_SCSV and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, and only allow TLSv1.1 and v1.2, you can use the dsconfig set-crypto-manager-prop command as shown in the following example:
You will need to restart DS if you want these changes to take effect immediately. If you don't restart DS, then these changes will only impact new SSL/TLS-based sessions created after the change.
See Crypto Manager for further information.
See Also
How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port?
Related Training
N/A
Related Issue Tracker IDs
N/A