My Favorites

Close

Please to see your favorites.

  • Bookmark
  • Email Document
  • Printer Friendly
  • Favorite
  • Rating:

SSLv2, SSLv3 and TLS 1.x support in eDirectory and iManager

This document (7017315) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ eDirectory 9.0.1
NetIQ eDirectory 8.8 SP8 Patch 8
NetIQ iManager 3.0.1
NetIQ iManager 2.7 Sp7 Patch 7
NetIQ LDAP Proxy 1.5.2



CVE-2016-0800 / CVE-2015-7547:  DROWN cross protocol attack on TLS using SSLv2
CVE-2015-3197:  SSLv2 doesn't block disabled ciphers

Situation

Where can a listing be found of current eDirectory, iManager and LDAP Proxy versions and what version of SSL\TLS they support.

Are any of the above products vulnerable to the DROWN attack?   With all the weaknesses found in older SSL protocols, such as SSLv2, administrators are interested to know if current versions of eDirectory still support these and which support the newer protocols like TLS 1.2.

Resolution


eDirectory 8.8 SP8 & 9.0

SSLv2:
  • eDirectory 8.8.8 Linux
    • this protocol has always been disabled and cannot be manually re-enabled.
  • eDirectory 8.8.8 Windows
    • A vulnerability has been found in OpenSSL,  CVE-2015-3197, that allows disabled ciphers to continue to be used by clients.  This has been addressed in 8.8 SP8 Patch 8.
  • eDirectory 9.0
    • By default 9.0 is in FIPS mode which will not allow SSLv2.  However, the server can still be configured to allow it.  This has been resolved in 9.0's first patch, 9.0.1.
NOTE: all earlier versions of eDirectory remain vulnerable.


SSLv3:
  • HTTPS
    • Both eDirectory 8.8 SP8 and 9.0 have SSLv3 disabled by default in their HTTPS stack and it cannot be enabled. 
  • LDAPS
    • 8.8SP8
      • Enabled by default for LDAPS.  SSLv3 support can be disabled in iManager using the LDAP Options role.
    • 9.0.x
      • By default, eDirectory is in FIPS mode which will not allow SSLv3 ciphers.  To disable FIPS mode and allow SSLv3 handshakes, pass n4u.server.fips_tls=0 as a parameter for the ndsconfig set command and restart the server.  Example: ndsconfig set n4u.server.fips=0.

TLSv1.0:

  • 8.8 SP8: this is the highest supported.  If SSLv3 is disabled then only TLS 1.0 is available.
  • 9.0: supports TLS 1.0, 1.1 & 1.2.


TLSv1.1 & 1.2:

  • Only eDirectory 9.0 can support these handshakes.  To configure eDirectory 9.0 to only allow TLS 1.2 please see: TID 7017644




iManager 2.7 SP7 & 3.0


SSLv2:

  • Support for this was removed from iManager years ago.  Therefore, both versions cannot fallback to the old ciphers and are immune to the DROWN vulnerability and CVE-2015-3197.
  • Both 2.7 SP7 & 3.0 have this disabled and it cannot be manually re-enabled.


SSLv3:


TLSv1.0, 1.1 & 1.2:
  • Both iManager 2.7 SP7 and iManager 3.0 support TLS versions 1.0, 1.1 and 1.2.




LDAP Proxy 1.5.2

  • SSLv2:
    • SSLv2 has been completely removed from the 1.5.1 version of the LDAP Proxy.  Therefore, it is immune to the DROWN attack.
  • SSLv3:
    • By default this is disabled.  However, both the back-ends and listener can be configured to listen using SSLv3 if older clients are still in use.
  • TLSv1.0, 1.1 & 1.2:
    • These are all fully supported. 




In summary, the products mentioned above are now immune to Drown.



Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017315
  • Creation Date:01-MAR-16
  • Modified Date:16-MAY-17
    • NetIQeDirectory

Did this document solve your problem? Provide Feedback

< Back to Support Search

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center