Instructions for Disabling SSL 2 in Netscape Servers
Last updated 2004-09-16
This document describes how to disable SSL 2 and all the SSL 2 cipher suites in the following Netscape servers.- Netscape Enterprise Server NES: versions 6.0 and later
- Netscape Enterprise Server NES version 4.x
- Directory Server: versions 6.0, 6.01, 6.02, 6.1, 6.11, and 6.2
- CMS: versions 4.1, 4.2, 4.5, 6.0, 6.01, 6.1, and 6.2
- Administration Server: versions contained in
- CMS 4.x
- CMS 6.x
- Directory Server 4.x
- Directory Server 6.x
Netscape Enterprise Server NES 6.0 and later
These instructions apply to NES 6.0 and later (including all service
packs).To disable SSL 2 via the NES admin server:
- Log into admin
- Select the instance you want (or stay in and configure the admin server)
- Select the Preferences tab
- For the listen socket that has SSL enabled, select Attributes
- Under Ciphers select SSL2
- Uncheck "SSL version 2". One may also disable all of the SSL 2 ciphers here.
- Click Ok, then Quit to get rid of the window
- Click Apply in upper-right of browser
- Click Apply Changes and restart the server
- Enter your SSL password when prompted
1. Edit <server-root>/http-<instance>/config/server.xml:
- In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
- To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the ciphers listed.
Here is an example:
<SSLPARAMS servercertnickname="Server-Cert" ssl2="off"
ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"
ssl3="on"
ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"
/>
2. Stop and restart NES
Netscape Enterprise Server NES 4.x
- Log into admin
- Select the instance you want (or stay in and configure the admin server)
- Select the Preferences tab
- Select Encryption Preferences
- Uncheck "SSL version 2". One may also disable all of the SSL 2 ciphers here.
- Click Ok, then Ok again to acknowledge that your changes have been saved.
- Click "Save and Apply" to apply the changes and restart the server.
Directory Server: versions 6.0, 6.01, 6.02, 6.1, 6.11, and 6.2
This applies to Directory Server versions 6.0, 6.01, 6.02, 6.1, 6.11, and 6.2.These steps are not necessary on later versions of Directory Server.
If you have enabled SSL on your Administration Server, please also follow the instructions below to disable SSL 2 ciphers for that server, also.
- Stop Directory Server. <>Open the <server_root>/slapd-<instance>/config/dse.ldif file in an editor. You need to disable all of the SSL 2 ciphers in the "dn:cn=encryption,cn=config" entry, by adding the follwing to the comma separated list of ciphers in the "nsSSL3ciphers" attribute:
- Restart Directory Server
-rc4,-rc4export,-rc2,-rc2export,-des,-desede3
nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha,-rc4,-rc4export,-rc2,-rc2export,-des,-desede3
Notes:
- It is important that you include the hyphen character before each cipher when modifying the "nsSSL3ciphers" attribute. That tells Directory Server to not enable those ciphers.
- If you modify your cipher preferences through Directory Server Console again, you will lose these manually added ciphers. You would then need to go through this procedure of modifying the dse.ldif file again
CMS: versions 4.1, 4.2, 4.5, 6.0, 6.01, 6.1, and 6.2
If you have enabled SSL on your Administration Server, please also follow the instructions under that product to disable SSL 2 ciphers.If you have enabled SSL on your Directory Server, please also follow the instructions under that product to disable SSL 2 ciphers for each instance of DS.
To disable SSL 2 ciphers in CMS 4.1, 4.2, 4.5, and all subsequent 4.x patches/service packs, perform the following steps for each instance of CMS:
cd <server_root>/cert-<instance>/
./stop-cert
cd <server_root>/cert-<instance>/config/
- edit CMS.cfg and change the line "jss.ssl.cipherpref=" to
jss.ssl.cipherpref=rsa_rc4_40_md5,rsa_rc4_128_md5,rsa_des_sha,rsa_3des_sha,rsa_fips_3des_sha,rsa_fips_des_sha
cd <server_root>/cert-<instance>/
./start-cert
To disable SSL 2 ciphers in CMS 6.0, 6.01, 6.1, 6.2, and all subsequent 6.x patches/service packs, disable them manually via the configuration files, according to the following steps:
- To disable SSL 2 for each instance of CMS that has already been
created, for the given <server_root>:
cd <server_root>/cert-<instance>/
./stop-cert
cd <server_root>/cert-<instance>/config/
- edit
<server_root>/bin/cert-<instance>/config/server.xml:
- In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
- To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the ciphers listed.
cd <server_root>/cert-<instance>/
./start-cert
Here is an example:
<SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"
ssl3="on" ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>
- To disable SSL 2 in all future
instances of CMS for the given
<server_root>:
cd <server_root>/bin/cert/templates/https/config/
- edit
<server_root>/bin/cert/templates/https/config/server.xml:
- In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
- To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the ciphers listed.
Here is an example: It has been broken into multiple lines here to be more readable.
<SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"
ssl3="on" ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>
Administration Servers for Directory Server and CMS
To disable SSL 2 ciphers in Administration Servers contained in Directory Server 4.x and CMS 4.x and all subsequent 4.x patches/service packs, perform the following steps via the Administration Console:
- Launch a console and login
- From the primary Console tab, open the <hostname> by clicking on the '+' sign immediately preceding it, and then open the Server Group by clicking on the '+' sign immediately preceding it
- Highlight the Administration Server, and click on the Open button on the right-hand side of the console
- From the Administration Console, select the Configuration tab
- On the right-hand side of the Configuration frame, select the Encryption tab
- Presuming that SSL has been enabled, click on the Cipher
Preferences button. A dialog will be displayed containing all of
the ciphers; deselect all checkboxes under SSL 2.0 ciphers including:
- RC4 with 40 bit encryption and MD5 message authentication
- RC2 with 40 bit encryption and MD5 message authentication
- RC4 with 128 bit encryption and MD5 message authentication
- RC2 with 128 bit encryption and MD5 message authentication
- DES with 56 bit encryption and MD5 message authentication
- Triple DES with 168 bit encryption and MD5 message authentication
- Deselect the main SSL 2.0 ciphers checkbox
- Click the OK button
- Click the Save button
- Close the Administration Console
- Close the primary Console
cd <server_root>/
./stop-admin
./start-admin
- Launch a console and login
- From the primary Console tab, open the <hostname> by clicking on the '+' sign immediately preceding it, and then open the Server Group by clicking on the '+' sign immediately preceding it
- Highlight the Administration Server, and click on the Open button on the right-hand side of the console
- From the Administration Console, select the Configuration tab
- On the right-hand side of the Configuration frame, select the Encryption tab
- Presuming that SSL has been enabled, click on the Settings button located after the Cipher: label
- A dialog entitled Cipher Preference will be displayed containing all of the ciphers; select the SSL 2.0 tab
- Deselect all checkboxes under SSL 2.0 ciphers including:
DES 56 MD5
RC2 (Export) 40 MD5
RC4 (Export) 40 MD5
DES 168 MD5
RC4 128 MD5
RC2 128 MD5
- Click the OK button
- Click the Save button
- Close the Administration Console
- Close the primary Console
cd <server_root>/
./stop-admin
./start-admin
cd <server_root>/
./stop-admin
cd <server_root>/admin-serve/config/
- edit <server_root>/admin-serv/config/server.xml:
- In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
- To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the SSl2 ciphers listed.
cd <server_root>/
./start-admin
Here is an example. (It has been
broken into two lines here for
readability, but should be one line)
<SSLPARAMS
servercertnickname="Server-Cert" ssl2="off"
ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"
ssl3="on"
ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>