TLS 1.0/1.1 ciphers disabled by default for secure LDAP connections

Previously, Rational ClearQuest had the following ciphers enabled by default, for TLS 1.0/TLS 1.1 SSLV3.

cipher: Hex value:
SLAPD_SSL_RC4_MD5_EX "03"
SLAPD_SSL_RC2_MD5_EX "06"
SLAPD_SSL_RC4_SHA_US "05"
SLAPD_SSL_RC4_MD5_US "04"
SLAPD_SSL_DES_SHA_US "09"
SLAPD_SSL_3DES_SHA_US "0A"
SLAPD_SSL_AES_128_SHA_US "2F"
SLAPD_SSL_AES_256_SHA_US "35"

SSLV3 is disabled by default. To enable it, see technote 21689920.

Rational ClearQuest now has the following TLS 1.1/TLS 1.0 ciphers that are enabled by default:

SLAPD_SSL_AES_128_SHA_US "2F"
SLAPD_SSL_AES_256_SHA_US "35"

To enable other TLS 1.0 and TLS 1.1 ciphers, the '-S' and '-c' parameters can be used in the LDAP initialization string that it is defined by the installutil setldapinit command. For more information, see the installutil setldapinit topic.

-S refers to LDAP_OPT_SSL_SECURITY_PROTOCOL, and can be set with values of SSLV3, TLS10, TLS11 and TLS12, or multiple values of them connected by comma. See the above note about SSLV3 usage.

-c refers to LDAP_OPT_SSL_CIPHER, or the ciphers available for TLS 1.0, TLS 1.1, and SSLV3. It has a long list of supporting values that are described above, and can be set to multiple concatenated values. Refer to your LDAP server administrator for the values of this option.

Note: -C refers to LDAP_OPT_SSL_CIPHER_EX, or the ciphers available for TLS 1.2.

Example

installutil setldapinit 8.0.0 admin "" "-h ldapserver -Z -K 'win:c:\key.kdb;unix:/tmp/key.kdb' -S TLS10,TLS11 -c 05042F35"