Configuring supported TLS protocols and cipher suites
By default, the PingDirectory server enables support for the following TLS protocol versions:
-
TLS 1.2
-
TLS 1.3 (if supported by the underlying Java Virtual Machine (JVM))
This attempts to strike a good balance between providing the best security and maintaining compatibility with legacy clients.
Modern security best practices recommend only enabling support for TLS 1.2 and TLS 1.3, but some legacy LDAP clients can only support older versions. However, if you are confident that your LDAP clients support the more modern protocols, you can configure the server to only support those versions.
The server also tries to select an appropriate set of cipher suites to use for the TLS communication. It excludes suites that use known-weak key exchange, encryption, and digest algorithms and prioritizes key exchange algorithms that support forward secrecy over those that do not. However, as with the TLS protocol you can also explicitly customize the set of cipher suites that you wish to support.
The set of TLS protocols and cipher suites can be customized on a per-connection-handler basis using the connection handler’s ssl-protocol
and ssl-cipher-suite
configuration properties. You should also customize those properties in the crypto manager configuration, as the server uses that for other purposes like securing replication traffic.
dsconfig set-crypto-manager-prop \ --set ssl-protocol:TLSv1.2 \ --set ssl-protocol:TLSv1.3 \ --set ssl-cipher-suite:TLS_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \ --set ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV dsconfig set-connection-handler-prop \ --handler-name "LDAPS Connection Handler" \ --set ssl-protocol:TLSv1.2 \ --set ssl-protocol:TLSv1.3 \ --set ssl-cipher-suite:TLS_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \ --set ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV dsconfig set-connection-handler-prop \ --handler-name "LDAP Connection Handler" \ --set ssl-protocol:TLSv1.2 \ --set ssl-protocol:TLSv1.3 \ --set ssl-cipher-suite:TLS_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \ --set ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV dsconfig set-connection-handler-prop \ --handler-name "HTTPS Connection Handler" \ --set ssl-protocol:TLSv1.2 \ --set ssl-protocol:TLSv1.3 \ --set ssl-cipher-suite:TLS_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \ --set ssl-cipher-suite:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \ --set ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \ --set ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV
See the configure-enabled-tls-protocols.dsconfig
and configure-enabled-tls-cipher-suites.dsconfig
files in the config/sample-dsconfig-batch-files
directory for more information.