Instructions for Disabling SSL 2 in Netscape Servers

Last updated 2004-09-16

This document describes how to disable SSL 2 and all the SSL 2 cipher suites in the following Netscape servers.

Netscape Enterprise Server NES 6.0 and later

These instructions apply to NES 6.0 and later (including all service packs).

To disable SSL 2 via the NES admin server:
  1. Log into admin
  2. Select the instance you want (or stay in and configure the admin server)
  3. Select the Preferences tab
  4. For the listen socket that has SSL enabled, select Attributes
  5. Under Ciphers select SSL2
  6. Uncheck "SSL version 2". One may also disable all of the SSL 2 ciphers here.
  7. Click Ok, then Quit to get rid of the window
  8. Click Apply in upper-right of browser
  9. Click Apply Changes and restart the server
  10. Enter your SSL password when prompted
To disable it manually via the configuration files:

1. Edit <server-root>/http-<instance>/config/server.xml:
  • In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
  • To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the ciphers listed.
Here is an example:

<SSLPARAMS servercertnickname="Server-Cert" ssl2="off"
ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3" ssl3="on"
ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>

2. Stop and restart NES


Netscape Enterprise Server NES 4.x

  1. Log into admin
  2. Select the instance you want (or stay in and configure the admin server)
  3. Select the Preferences tab
  4. Select Encryption Preferences
  5. Uncheck "SSL version 2". One may also disable all of the SSL 2 ciphers here.
  6. Click Ok, then Ok again to acknowledge that your changes have been saved.
  7. Click  "Save and Apply" to apply the changes and restart the server.


Directory Server: versions 6.0, 6.01, 6.02, 6.1, 6.11, and 6.2

This applies to Directory Server versions 6.0, 6.01, 6.02, 6.1, 6.11, and 6.2. 
These steps are not necessary on later versions of Directory Server.

If you have enabled SSL on your Administration Server, please also follow the instructions below to disable SSL 2 ciphers for that server, also.

  1. Stop Directory Server.
  2. <>Open the <server_root>/slapd-<instance>/config/dse.ldif file in an editor.  You need to disable all of the SSL 2 ciphers in the "dn:cn=encryption,cn=config" entry, by adding the follwing to the comma separated list of ciphers in the "nsSSL3ciphers" attribute:
           -rc4,-rc4export,-rc2,-rc2export,-des,-desede3
  3. Restart Directory Server
Here's an example of the nsSSL3ciphers attribute with the correct ciphers disabled:  This should be one line, but it is broken into multiple lines here to be more readable.

nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha,-rc4,-rc4export,-rc2,-rc2export,-des,-desede3

Notes:
  • It is important that you include the hyphen character before each cipher when modifying the "nsSSL3ciphers" attribute.  That tells Directory Server to not enable those ciphers.
  • If you modify your cipher preferences through Directory Server Console again, you will lose these manually added ciphers.  You would then need to go through this procedure of modifying the dse.ldif file again


CMS: versions 4.1, 4.2, 4.5, 6.0, 6.01, 6.1, and 6.2

If you have enabled SSL on your Administration Server, please also follow the instructions under that product to disable SSL 2 ciphers.

If you have enabled SSL on your Directory Server, please also follow the instructions under that product to disable SSL 2 ciphers for each instance of DS.

To disable SSL 2 ciphers in CMS 4.1, 4.2, 4.5, and all subsequent 4.x patches/service packs, perform the following steps for each instance of CMS:
  1. cd <server_root>/cert-<instance>/
  2. ./stop-cert
  3. cd <server_root>/cert-<instance>/config/
  4. edit CMS.cfg and change the line "jss.ssl.cipherpref=" to  jss.ssl.cipherpref=rsa_rc4_40_md5,rsa_rc4_128_md5,rsa_des_sha,rsa_3des_sha,rsa_fips_3des_sha,rsa_fips_des_sha
  5. cd <server_root>/cert-<instance>/
  6. ./start-cert

To disable SSL 2 ciphers in CMS 6.0, 6.01, 6.1, 6.2, and all subsequent 6.x patches/service packs, disable them manually via the configuration files, according to the following steps:
  • To disable SSL 2 for each instance of CMS that has already been created,  for the given <server_root>:
    1. cd <server_root>/cert-<instance>/
    2. ./stop-cert
    3. cd <server_root>/cert-<instance>/config/
    4. edit <server_root>/bin/cert-<instance>/config/server.xml:
      • In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
      • To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the ciphers listed.
    5. cd <server_root>/cert-<instance>/
    6. ./start-cert

    Here is an example:

    <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"
    ssl3="on" ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>

  • To disable SSL 2 in all future instances of CMS for the given <server_root>:
    1. cd <server_root>/bin/cert/templates/https/config/
    2. edit <server_root>/bin/cert/templates/https/config/server.xml:
      • In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
      • To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the ciphers listed.

    Here is an example:  It has been broken into multiple lines here to be more readable.

    <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"
    ssl3="on" ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>


Administration Servers for  Directory Server and CMS


To disable SSL 2 ciphers in Administration Servers contained in Directory Server 4.x and CMS 4.x and all subsequent 4.x patches/service packs, perform the following steps via the Administration Console:
  1. Launch a console and login
  2. From the primary Console tab, open the <hostname> by clicking on the '+' sign immediately preceding it, and then open the Server Group by clicking on the '+' sign immediately preceding it
  3. Highlight the Administration Server, and click on the Open button on the right-hand side of the console
  4. From the Administration Console, select the Configuration tab
  5. On the right-hand side of the Configuration frame, select the Encryption tab
  6. Presuming that SSL has been enabled, click on the Cipher Preferences button.  A dialog will be displayed containing all of the ciphers; deselect all checkboxes under SSL 2.0 ciphers including:
    • RC4 with 40 bit encryption and MD5 message authentication
    • RC2 with 40 bit encryption and MD5 message authentication
    • RC4 with 128 bit encryption and MD5 message authentication
    • RC2 with 128 bit encryption and MD5 message authentication
    • DES with 56 bit encryption and MD5 message authentication
    • Triple DES with 168 bit encryption and MD5 message authentication
  7. Deselect the main SSL 2.0 ciphers checkbox
  8. Click the OK button
  9. Click the Save button
  10. Close the Administration Console
  11. Close the primary Console
  12. cd <server_root>/
  13. ./stop-admin
  14. ./start-admin
To disable  SSL 2 ciphers in Administration Servers contained in Directory Server 6.x and CMS 6.x and all subsequent 6.x patches/service packs, perform the following steps via the Administration Console:
  1. Launch a console and login
  2. From the primary Console tab, open the <hostname> by clicking on the '+' sign immediately preceding it, and then open the Server Group by clicking on the '+' sign immediately preceding it
  3. Highlight the Administration Server, and click on the Open button on the right-hand side of the console
  4. From the Administration Console, select the Configuration tab
  5. On the right-hand side of the Configuration frame, select the Encryption tab
  6. Presuming that SSL has been enabled, click on the Settings button located after the Cipher: label
  7. A dialog entitled Cipher Preference will be displayed containing all of the ciphers; select the SSL 2.0 tab
  8. Deselect all checkboxes under SSL 2.0 ciphers including:
    • DES            56     MD5
    • RC2 (Export)   40     MD5
    • RC4 (Export)   40     MD5
    • DES            168    MD5
    • RC4            128    MD5
    • RC2            128    MD5
  9. Click the OK button
  10. Click the Save button
  11. Close the Administration Console
  12. Close the primary Console
  13. cd <server_root>/
  14. ./stop-admin
  15. ./start-admin
To ensure that the Administration Server has disabled SSL 2.0, check the following configuration file manually:
  1. cd <server_root>/
  2. ./stop-admin
  3. cd <server_root>/admin-serve/config/
  4. edit <server_root>/admin-serv/config/server.xml:
    • In the SSLPARAMS element there is an ssl2 attribute. Set this to "off".
    • To also disable all of the ssl2 ciphers, replace "+" with "-" in the ssl2ciphers attribute for all of the SSl2 ciphers listed.
  5. cd <server_root>/
  6. ./start-admin
Here is an example.  (It has been broken into two lines here for readability, but should be one line)

<SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-des,-desede3"
ssl3="on" ssl3tlsciphers="+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,-rsa_null_md5"/>