Environment
Novell eDirectory 8.8.5 for All Platforms
Novell iMonitor
Situation
It is possible to configure the LDAP server to use only HIGH cipher
encryption, but in earlier versions it wasn't possible to configure
the same for the HTTP stack which iMonitor uses. This feature is
now available with eDirectory 8.8.5 and above.
Resolution
There are three values that can be used to restrict the cipher
usage:
0 - accept HIGH, MEDIUM, LOW and EXPORT ciphers
2 - accept HIGH and MEDIUM ciphers only
3 - accept HIGH ciphers only
To set this value, the httpServer object associated with the NCP server object needs to be modified and the attribute"httpBindRestrictions" can be modified or added with one of these three values. To do so, it is possible to use the "Modify Object" task in iManager and in the General tab use the "Other" link, which allows to modify attributes directly. In order for the changes to take effect, eDirectory needs to be restarted.
The parameter http.server.bind-restrictions in nds.conf is supposed to control this behavior as well, but at the time of writing of this TID it wasn't working properly. This issue has been reported to engineering.
0 - accept HIGH, MEDIUM, LOW and EXPORT ciphers
2 - accept HIGH and MEDIUM ciphers only
3 - accept HIGH ciphers only
To set this value, the httpServer object associated with the NCP server object needs to be modified and the attribute"httpBindRestrictions" can be modified or added with one of these three values. To do so, it is possible to use the "Modify Object" task in iManager and in the General tab use the "Other" link, which allows to modify attributes directly. In order for the changes to take effect, eDirectory needs to be restarted.
The parameter http.server.bind-restrictions in nds.conf is supposed to control this behavior as well, but at the time of writing of this TID it wasn't working properly. This issue has been reported to engineering.
Additional Information
It is possible to use the following command to test the ciphers
accepted by iMonitor:
openssl s_client -connect ipaddress:port -ssl3 -cipher LOW
The last parameter, cipher, can have a value of EXPORT, LOW, MEDIUM or HIGH
openssl s_client -connect ipaddress:port -ssl3 -cipher LOW
The last parameter, cipher, can have a value of EXPORT, LOW, MEDIUM or HIGH