Symantec Access Management

Expand all | Collapse all

CA Directory can only talk TLS or SSLv3, not both.Can it do both?

Jump to Best Answer
  • 1.  CA Directory can only talk TLS or SSLv3, not both.Can it do both?

    Posted 09-18-2015 10:37 AM

    We are in a situation where we are in the middle of a large Siteminder migration 12.0 to 12.52.  The issue is SM 12.0 can only talk to CA Directory via SSLv3, while 12.52 only TLS since the poodle patch.  The ask is can CA Directory be configured to accept both TLS and SSLv3 at the same time?



  • 2.  Re: CA Directory can only talk TLS or SSLv3, not both.Can it do both?
    Best Answer

    Posted 09-20-2015 06:48 PM

    Yes CA Directory can support both versions of the SSL protocol on different connections (determined during the handshake).

     

    Since r12 SP14, CA Directory ships in TLS only mode, this can be downgraded by making the following configuration change on all servers:

     

    Note: fips = true can't be enabled as this forces TLS.

     

    $DXHOME/config/ssld/default.dxc

    set ssl = {

        # folder containing DSA personality certs

        cert-dir = "config/ssld/personalities"

     

        # trusted root CA that signed DSA certificates

        ca-file = "config/ssld/trusted.pem"

     

        # SSL options

        # cipher = "ALL:!EXPORT40:!ADH:!SSLv2:!EXP:!LOW" # default ciphers - syntax on OpenSSL website

     

        protocol = ssl

     

        # fips = true # enables FIPS 140-2 compliant encryption

     

        # HSM options

        # pin = "<str>" # HSM pin

        # lib = "<str>" # path to PKCS11 library supplied by HSM vendor

        # slot = <num> # slot to use for HSM based encryption

    };