Symantec Access Management

 View Only

Which TLS Ciphers are used by CA Directory DSAs?

  • 1.  Which TLS Ciphers are used by CA Directory DSAs?

    Posted Jul 18, 2018 03:52 PM



    Using the openssl binary, we can view all ciphers provided by this command line tool.


    Using this list, we can test each possible cipher category to a service that has TLS enabled, e.g. an LDAP server or Web Server 


    To list all cipher possible with openssl.

    Ref:  /docs/man1.1.0/apps/ciphers.html 




    openssl ciphers



    To test the ciphers, you can execute openssl with the s_client switch.


    openssl s_client -cipher RSA -connect vapp0001:20394                  [SUCCESSFUL TEST]



    Test with category:  HIGH    ""high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys."


    openssl s_client -cipher HIGH  -connect vapp0001:20394    [TEST SUCCESS]



    openssl s_client -cipher ECDHE-RSA-AES256-GCM-SHA384 -connect vapp0001:20394     [TEST FAILURE]





    You may wish to skip these tests.


    openssl s_client -cipher DEFAULT -connect vapp0001:20394

    openssl s_client -cipher ALL -connect vapp0001:2039

    openssl s_client -cipher NULL -connect vapp0001:20394





    Other examples:



    openssl s_client -cipher EDH -connect vapp0001:20394



    openssl s_client -cipher ECDH -connect vapp0001:20394






    Best example of success for latest release of TLSv1.2


    openssl s_client -cipher TLSv1.2 -connect vapp0001:20394






    To directly view the CA Directory cipher used (if changed from defaults), you may view these files:








    To view all active CA Directory DSA cipher, open a DXconsole, and issue the command : get ciphers;

    - Or add this setting to CA Directory setting <dsa name>.dxc and issue a dxserver init <dsa name>

    - Then view the <dsa-name>-trace.logs.




    Ref:  Encryption Formats for SSL - CA Directory - 12.6 - CA Technologies Documentation 





    Example to reduce ciphers to TLSv1.2 for CA Directory DSA upon startup:


    Edit the DXHOME/config/ssld/impd.dxc   (or default.dxc)

    - Update the set ssl = {  section as shown



    Validate working with the -d switch for    dxserver -d start  <dsa_name>

    - should only see validate TLSv1.2 ciphers.