You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.

Instructions for Disabling SSL 2 in Netscape Servers

Last updated 2004-09-16

This document describes how to disable SSL 2 and all the SSL 2 cipher suites in the following Netscape servers.

Netscape Enterprise Server NES: versions 6.0 and later
Netscape Enterprise Server NES version 4.x
Directory Server: versions 6.0, 6.01, 6.02, 6.1, 6.11, and 6.2
CMS: versions 4.1, 4.2, 4.5, 6.0, 6.01, 6.1, and 6.2
Administration Server: versions contained in

CMS 4.x
CMS 6.x
Directory Server 4.x
Directory Server 6.x

Netscape Enterprise Server NES 6.0 and later

These instructions apply to NES 6.0 and later (including all service packs).

To disable SSL 2 via the NES admin server:

Log into admin
Select the instance you want (or stay in and configure the admin server)
Select the Preferences tab
For the listen socket that has SSL enabled, select Attributes
Under Ciphers select SSL2
Uncheck "SSL version 2". One may also disable all of the SSL 2 ciphers here.
Click Ok, then Quit to get rid of the window
Click Apply in upper-right of browser
Click Apply Changes and restart the server
Enter your SSL password when prompted

To disable it manually via the configuration files:

1. Edit <server-root>/http-<instance>/config/server.xml:

In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the ciphers listed.

Here is an example:

<SSLPARAMS servercertnickname="Server-Cert" ssl2="off"

ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"
ssl3="on"

ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>

2. Stop and restart NES

Netscape Enterprise Server NES 4.x

Log into admin
Select the instance you want (or stay in and configure the admin server)
Select the Preferences tab
Select Encryption Preferences
Uncheck "SSL version 2". One may also disable all of the SSL 2 ciphers here.
Click Ok, then Ok again to acknowledge that your changes have been saved.
Click "Save and Apply" to apply the changes and restart the server.

Directory Server: versions 6.0, 6.01, 6.02, 6.1, 6.11, and 6.2

This applies to Directory Server versions 6.0, 6.01, 6.02, 6.1, 6.11, and 6.2.
These steps are not necessary on later versions of Directory Server.

If you have enabled SSL on your Administration Server, please also follow the instructions below to disable SSL 2 ciphers for that server, also.

Stop Directory Server.



      
-rc4,-rc4export,-rc2,-rc2export,-des,-desede3

Restart Directory Server

Here's an example of the nsSSL3ciphers attribute with the correct ciphers disabled: This should be one line, but it is broken into multiple lines here to be more readable.

nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,

+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha,-rc4,-rc4export,-rc2,-rc2export,-des,-desede3

Notes:

It is important that you include the hyphen character before each cipher when modifying the "nsSSL3ciphers" attribute. That tells Directory Server to not enable those ciphers.
If you modify your cipher preferences through Directory Server Console again, you will lose these manually added ciphers. You would then need to go through this procedure of modifying the dse.ldif file again

CMS: versions 4.1, 4.2, 4.5, 6.0, 6.01, 6.1, and 6.2

If you have enabled SSL on your Administration Server, please also follow the instructions under that product to disable SSL 2 ciphers.

If you have enabled SSL on your Directory Server, please also follow the instructions under that product to disable SSL 2 ciphers for each instance of DS.

To disable SSL 2 ciphers in CMS 4.1, 4.2, 4.5, and all subsequent 4.x patches/service packs, perform the following steps for each instance of CMS:

cd <server_root>/cert-<instance>/
./stop-cert
cd <server_root>/cert-<instance>/config/
edit CMS.cfg and change the line "jss.ssl.cipherpref=" to jss.ssl.cipherpref=rsa_rc4_40_md5,rsa_rc4_128_md5,rsa_des_sha,rsa_3des_sha,rsa_fips_3des_sha,rsa_fips_des_sha
cd <server_root>/cert-<instance>/
./start-cert

To disable SSL 2 ciphers in CMS 6.0, 6.01, 6.1, 6.2, and all subsequent 6.x patches/service packs, disable them manually via the configuration files, according to the following steps:

To disable SSL 2 for each instance of CMS that has already been created, for the given <server_root>:
1. cd <server_root>/cert-<instance>/
2. ./stop-cert
3. cd <server_root>/cert-<instance>/config/
4. edit <server_root>/bin/cert-<instance>/config/server.xml:
  - In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
  - To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the ciphers listed.
5. cd <server_root>/cert-<instance>/
6. ./start-cert
Here is an example:

<SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"
ssl3="on" ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>
To disable SSL 2 in all future instances of CMS for the given <server_root>:
1. cd <server_root>/bin/cert/templates/https/config/
2. edit <server_root>/bin/cert/templates/https/config/server.xml:
  - In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
  - To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the ciphers listed.
Here is an example: It has been broken into multiple lines here to be more readable.

<SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"
ssl3="on" ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>

Administration Servers for Directory Server and CMS

To disable SSL 2 ciphers in Administration Servers contained in Directory Server 4.x and CMS 4.x and all subsequent 4.x patches/service packs, perform the following steps via the Administration Console:

Launch a console and login
From the primary Console tab, open the <hostname> by clicking on the '+' sign immediately preceding it, and then open the Server Group by clicking on the '+' sign immediately preceding it
Highlight the Administration Server, and click on the Open button on the right-hand side of the console
From the Administration Console, select the Configuration tab
On the right-hand side of the Configuration frame, select the Encryption tab
Presuming that SSL has been enabled, click on the Cipher Preferences button. A dialog will be displayed containing all of the ciphers; deselect all checkboxes under SSL 2.0 ciphers including:
- RC4 with 40 bit encryption and MD5 message authentication
- RC2 with 40 bit encryption and MD5 message authentication
- RC4 with 128 bit encryption and MD5 message authentication
- RC2 with 128 bit encryption and MD5 message authentication
- DES with 56 bit encryption and MD5 message authentication
- Triple DES with 168 bit encryption and MD5 message authentication
Deselect the main SSL 2.0 ciphers checkbox
Click the OK button
Click the Save button
Close the Administration Console
Close the primary Console
cd <server_root>/
./stop-admin
./start-admin

To disable SSL 2 ciphers in Administration Servers contained in Directory Server 6.x and CMS 6.x and all subsequent 6.x patches/service packs, perform the following steps via the Administration Console:

Launch a console and login
From the primary Console tab, open the <hostname> by clicking on the '+' sign immediately preceding it, and then open the Server Group by clicking on the '+' sign immediately preceding it
Highlight the Administration Server, and click on the Open button on the right-hand side of the console
From the Administration Console, select the Configuration tab
On the right-hand side of the Configuration frame, select the Encryption tab
Presuming that SSL has been enabled, click on the Settings button located after the Cipher: label
A dialog entitled Cipher Preference will be displayed containing all of the ciphers; select the SSL 2.0 tab
Deselect all checkboxes under SSL 2.0 ciphers including:
- DES 56 MD5
- RC2 (Export) 40 MD5
- RC4 (Export) 40 MD5
- DES 168 MD5
- RC4 128 MD5
- RC2 128 MD5
Click the OK button
Click the Save button
Close the Administration Console
Close the primary Console
cd <server_root>/
./stop-admin
./start-admin

To ensure that the Administration Server has disabled SSL 2.0, check the following configuration file manually:

cd <server_root>/
./stop-admin
cd <server_root>/admin-serve/config/
edit <server_root>/admin-serv/config/server.xml:
- In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
- To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the SSl2 ciphers listed.
cd <server_root>/
./start-admin

Here is an example. (It has been broken into two lines here for readability, but should be one line)

<SSLPARAMS
servercertnickname="Server-Cert" ssl2="off"
ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"

ssl3="on"
ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>