Hi Gerrard, here is what we do to disable the weak encryptions : Admin server : dn: cn=encryption, cn=configuration, cn=admin-serv-ldap-<id>, cn=389 administration server, cn=server group,cn=ldap-<id>.example.com,ou=example.com,o=netscaperoot nsSSL2: off nsSSL3: on nsSSL2Ciphers: -des,-rc2export,-rc4export,-desede3,-rc4,-rc2 nsSSL3Ciphers: -rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,-rsa_rc4_40_md5, +fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 389 Server : dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,+rsa_des_sha, +rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha, +fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha, -rc4,-rc4export,-rc2,-rc2export,-des,-desede3 I think it is possible to disable these algorithmes via console but i have not tried... @+ 2011/2/16 Gerrard Geldenhuis <Gerrard.Geldenhuis@xxxxxxxxxxx>: > Hi > I am currently testing this but would like to double up my testing with any other experiences in the list. > > A security scan has shown my test LDAP server to be vulnerable to weak SSL encryption. I have turned off all encryption levels below 128 bits in the Cipher Preference Dialog box for both the admin and dirsrv. > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
