Disabling sslv2 on linux for port 636.

Rohit khaladkar rohit.khaladkar at gmail.com
Tue Jun 2 15:26:57 UTC 2009 

So adding the following in slapd.conf should do the trick right..?
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

Thanks!
Rohit Khaladkar

On Tue, Jun 2, 2009 at 8:51 PM, Marti, Rob <RJM002 at shsu.edu> wrote:

> Right.  So its not apache listening on that port.  Changing apache files
> will do nothing.
>
> Rob Marti
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:
> redhat-list-bounces at redhat.com] On Behalf Of Rohit khaladkar
> Sent: Tuesday, June 02, 2009 10:12 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Disabling sslv2 on linux for port 636.
>
> Here they are :
> [root at puiqtk01 conf]# lsof -i :636
> COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
> slapd   3498 ldap    9u  IPv6  11266       TCP *:ldaps (LISTEN)
> slapd   3498 ldap   10u  IPv4  11267       TCP *:ldaps (LISTEN)
>
>
> Thanks!
> Rohit Khaladkar
>
> On Tue, Jun 2, 2009 at 8:32 PM, Harry Hoffman <hhoffman at ip-solutions.net
> >wrote:
>
> > Can you run (as root)
> >
> > lsof -i :636
> >
> > and paste the results?
> >
> > Cheers,
> > Harry
> >
> >
> > Rohit khaladkar wrote:
> >
> >> Thanks Nigel.
> >> I am editing /opt/ABC/CCR/Apache2/conf/ssl.conf   file.
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tue, Jun 2, 2009 at 8:04 PM, Nigel Wade <nmw at ion.le.ac.uk> wrote:
> >>
> >>  Rohit khaladkar wrote:
> >>>
> >>>  Hi All,I want to disable ssl2 on a linux server for Port 636. Here is
> >>>> the
> >>>> procedure that I followed :
> >>>>
> >>>> 1)Edit ssl.conf and added following entries in it .
> >>>>
> >>>> SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
> >>>> SSLProtocol -All +SSLv3 +TLSv1
> >>>>
> >>>> 2)Restarted Apache service.
> >>>>
> >>>> 3)Restarted network.
> >>>>
> >>>> I checked if ssl2 is disabled using the following command :
> >>>>
> >>>> openssl s_client -connect hostname:636 -ssl2
> >>>>
> >>>> where hostname= server name
> >>>>
> >>>> But it still shows me the certificate. I even tried rebooting the
> >>>> machine
> >>>> ,
> >>>> but no luck.
> >>>>
> >>>> Am I missing anything here?.
> >>>>
> >>>>
> >>>>  Port 636 is normally the ldaps port, ie. SSL encrypted LDAP. Are you
> >>> really
> >>> listening on that port with Apache? Which ssl.conf did you edit, a full
> >>> path
> >>> would be rather more specific than just a filename?
> >>>
> >>> Maybe you want to replace 636 with 443 (https) as the openssl request
> >>> port.
> >>>
> >>> --
> >>> Nigel Wade, System Administrator, Space Plasma Physics Group,
> >>>           University of Leicester, Leicester, LE1 7RH, UK
> >>> E-mail :    nmw at ion.le.ac.uk
> >>> Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555
> >>>
> >>>
> >>> --
> >>> redhat-list mailing list
> >>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >>> https://www.redhat.com/mailman/listinfo/redhat-list
> >>>
> >>>
> >>
> >>
> >>
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
>
> --
> Thanks!
> Rohit Khaladkar
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>



-- 
Thanks!
Rohit Khaladkar

More information about the redhat-list mailing list