You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by Sean Kelly <ke...@apache.org> on 2016/10/04 16:54:36 UTC

Disabling weak ciphers

Folks:

My network security team is threatening to block access to our 
ApacheDS-2.0.0-M20 instance, citing weak ciphers like RC4 in use on our 
port 636.

Here's the list of ciphers I have enabled in the config:

ads-enabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ads-enabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ads-enabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
ads-enabledciphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
ads-enabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA256
ads-enabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA

There's no RC4 in there. But sure enough, when I test with OpenSSL, I 
can indeed connect with ECDHE-RSA-RC4-SHA, AECDH-RC4-SHA, and RC4-SHA, 
despite those NOT appearing in the list.

Any idea what's going on?

-- 
Sean Kelly
Member, Apache Software Foundation

Re: Disabling weak ciphers

Posted by Emmanuel Lécharny <el...@gmail.com>.

Le 05/10/16 � 15:44, Sean Kelly a �crit :
> Emmanuel L�charny wrote:
>> Which java version are you using ?
>>
>> RC4 is now disabled by default from Java 8u51, 7u85 and 6u101
>> (https://blogs.oracle.com/coffeys/entry/jdk_and_use_of_rc4).
> We're using Java 7u99.

This is not a version I have access to : you are paying a subscription
to oracle to have updates, something I don't do.

I strongly suggest you test the code with teh most recent Java 8 version.

Re: Disabling weak ciphers

Posted by Sean Kelly <ke...@apache.org>.

Emmanuel L�charny wrote:
> Which java version are you using ?
>
> RC4 is now disabled by default from Java 8u51, 7u85 and 6u101
> (https://blogs.oracle.com/coffeys/entry/jdk_and_use_of_rc4).
We're using Java 7u99.

Does the ldaps transport start with an empty set of ciphers and add what 
it sees in "ads-enabledciphers"? Or perhaps starts with a default set of 
ciphers and adds to that?

Thanks
--k

Re: Disabling weak ciphers

Posted by Emmanuel Lécharny <el...@gmail.com>.

Le 04/10/16 � 18:54, Sean Kelly a �crit :
> Folks:
>
> My network security team is threatening to block access to our
> ApacheDS-2.0.0-M20 instance, citing weak ciphers like RC4 in use on
> our port 636.
>
> Here's the list of ciphers I have enabled in the config:
>
> ads-enabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> ads-enabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> ads-enabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> ads-enabledciphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> ads-enabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA256
> ads-enabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA
>
> There's no RC4 in there. But sure enough, when I test with OpenSSL, I
> can indeed connect with ECDHE-RSA-RC4-SHA, AECDH-RC4-SHA, and RC4-SHA,
> despite those NOT appearing in the list.
>
> Any idea what's going on?

Which java version are you using ?

RC4 is now disabled by default from Java 8u51, 7u85 and 6u101
(https://blogs.oracle.com/coffeys/entry/jdk_and_use_of_rc4).