PingDirectory

Configuring supported TLS protocols and cipher suites

By default, the PingDirectory server enables support for the following TLS protocol versions:

  • TLS 1.2

  • TLS 1.3 (if supported by the underlying Java Virtual Machine (JVM))

This attempts to strike a good balance between providing the best security and maintaining compatibility with legacy clients.

Modern security best practices recommend only enabling support for TLS 1.2 and TLS 1.3, but some legacy LDAP clients can only support older versions. However, if you are confident that your LDAP clients support the more modern protocols, you can configure the server to only support those versions.

The server also tries to select an appropriate set of cipher suites to use for the TLS communication. It excludes suites that use known-weak key exchange, encryption, and digest algorithms and prioritizes key exchange algorithms that support forward secrecy over those that do not. However, as with the TLS protocol you can also explicitly customize the set of cipher suites that you wish to support.

The set of TLS protocols and cipher suites can be customized on a per-connection-handler basis using the connection handler’s ssl-protocol and ssl-cipher-suite configuration properties. You should also customize those properties in the crypto manager configuration, as the server uses that for other purposes like securing replication traffic.

dsconfig set-crypto-manager-prop \
     --set ssl-protocol:TLSv1.2 \
     --set ssl-protocol:TLSv1.3 \
     --set ssl-cipher-suite:TLS_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
     --set ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV

dsconfig set-connection-handler-prop \
     --handler-name "LDAPS Connection Handler" \
     --set ssl-protocol:TLSv1.2 \
     --set ssl-protocol:TLSv1.3 \
     --set ssl-cipher-suite:TLS_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
     --set ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV

dsconfig set-connection-handler-prop \
     --handler-name "LDAP Connection Handler" \
     --set ssl-protocol:TLSv1.2 \
     --set ssl-protocol:TLSv1.3 \
     --set ssl-cipher-suite:TLS_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
     --set ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV

dsconfig set-connection-handler-prop \
     --handler-name "HTTPS Connection Handler" \
     --set ssl-protocol:TLSv1.2 \
     --set ssl-protocol:TLSv1.3 \
     --set ssl-cipher-suite:TLS_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
     --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \
     --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
     --set ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV

See the configure-enabled-tls-protocols.dsconfig and configure-enabled-tls-cipher-suites.dsconfig files in the config/sample-dsconfig-batch-files directory for more information.