Re: Disabling sslv2 on linux for port 636.

[Harry Hoffman <hhoffman@xxxxxxxxxxxxxxxx>]

Yep, I believe slapd.conf accepts the same CipherSuite definition... you 
might want to just:

man slapd.conf

Cheers,
Harry



Rohit khaladkar wrote:
> So adding the following in slapd.conf should do the trick right..?
> SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
>
> Thanks!
> Rohit Khaladkar
>
> On Tue, Jun 2, 2009 at 8:51 PM, Marti, Rob <RJM002@xxxxxxxx> wrote:
>
> > Right.  So its not apache listening on that port.  Changing apache files
> > will do nothing.
> >
> > Rob Marti
> >
> > -----Original Message-----
> > From: redhat-list-bounces@xxxxxxxxxx [mailto:
> > redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar
> > Sent: Tuesday, June 02, 2009 10:12 AM
> > To: General Red Hat Linux discussion list
> > Subject: Re: Disabling sslv2 on linux for port 636.
> >
> > Here they are :
> > [root@puiqtk01 conf]# lsof -i :636
> > COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
> > slapd   3498 ldap    9u  IPv6  11266       TCP *:ldaps (LISTEN)
> > slapd   3498 ldap   10u  IPv4  11267       TCP *:ldaps (LISTEN)
> >
> >
> > Thanks!
> > Rohit Khaladkar
> >
> > On Tue, Jun 2, 2009 at 8:32 PM, Harry Hoffman <hhoffman@xxxxxxxxxxxxxxxx
> > > wrote:
> > > Can you run (as root)
> > >
> > > lsof -i :636
> > >
> > > and paste the results?
> > >
> > > Cheers,
> > > Harry
> > >
> > >
> > > Rohit khaladkar wrote:
> > >
> > > > Thanks Nigel.
> > > > I am editing /opt/ABC/CCR/Apache2/conf/ssl.conf   file.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Tue, Jun 2, 2009 at 8:04 PM, Nigel Wade <nmw@xxxxxxxxxxxx> wrote:
> > > >
> > > >  Rohit khaladkar wrote:
> > > > >  Hi All,I want to disable ssl2 on a linux server for Port 636. Here is
> > > > > > the
> > > > > > procedure that I followed :
> > > > > >
> > > > > > 1)Edit ssl.conf and added following entries in it .
> > > > > >
> > > > > > SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
> > > > > > SSLProtocol -All +SSLv3 +TLSv1
> > > > > >
> > > > > > 2)Restarted Apache service.
> > > > > >
> > > > > > 3)Restarted network.
> > > > > >
> > > > > > I checked if ssl2 is disabled using the following command :
> > > > > >
> > > > > > openssl s_client -connect hostname:636 -ssl2
> > > > > >
> > > > > > where hostname= server name
> > > > > >
> > > > > > But it still shows me the certificate. I even tried rebooting the
> > > > > > machine
> > > > > > ,
> > > > > > but no luck.
> > > > > >
> > > > > > Am I missing anything here?.
> > > > > >
> > > > > >
> > > > > >  Port 636 is normally the ldaps port, ie. SSL encrypted LDAP. Are you
> > > > > really
> > > > > listening on that port with Apache? Which ssl.conf did you edit, a full
> > > > > path
> > > > > would be rather more specific than just a filename?
> > > > >
> > > > > Maybe you want to replace 636 with 443 (https) as the openssl request
> > > > > port.
> > > > >
> > > > > --
> > > > > Nigel Wade, System Administrator, Space Plasma Physics Group,
> > > > >           University of Leicester, Leicester, LE1 7RH, UK
> > > > > E-mail :    nmw@xxxxxxxxxxxx
> > > > > Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555
> > > > >
> > > > >
> > > > > --
> > > > > redhat-list mailing list
> > > > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > --
> > > redhat-list mailing list
> > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> >
> > --
> > Thanks!
> > Rohit Khaladkar
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list