Global Security Forum

 View Only
Expand all | Collapse all

How to resolve TLS Version 1.0 Protocol Detection vulnerability on ISDS Server?

  • 1.  How to resolve TLS Version 1.0 Protocol Detection vulnerability on ISDS Server?

    InnerCircle
    Posted Tue February 01, 2022 01:59 PM
    We have got a vulnerability on the IBM Security directory server version 6.4.0.0,
    Can someone advise how to check the protocol version on the ISDS Server? Also what needs to be done to upgrade the version to TLSv1.2?

    ------------------------------
    Thanks,
    Venkat
    ------------------------------


  • 2.  RE: How to resolve TLS Version 1.0 Protocol Detection vulnerability on ISDS Server?

    Posted Wed February 02, 2022 03:26 AM
    First - you should not be running ISDS 6.4.0.0  IF0025 is just out and you should really go to that level...

    I believe the TLS options are described here : https://www.ibm.com/docs/el/sdse/6.4.0?topic=131a-directory-server-instance-ssl-tls-protocols - there is a technote on the subject listing the TLS capabilities here : https://www.ibm.com/support/pages/supported-tls-and-ssl-secure-protocol-versions

    You may want to create a support case if this is not enough to understand what is needed :-)

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 3.  RE: How to resolve TLS Version 1.0 Protocol Detection vulnerability on ISDS Server?

    Posted Wed May 25, 2022 07:47 AM
    Hi Venkat,

    To check TLS Version 1.2

    There are a number of ways that you can check the version of TLS running on the IDSD Server using the following tools. You will need the host and port number on which the service is running. 

    1. sslscan - sslscan --no-failed <HOST>:PORT_NUMBER
    2. openssl - openssl s_client -connect <HOST>:PORT -tls1_2 
    3. nmap - nmap -sV --script ssl-enum-ciphers -p PORT <HOST>

    Please check in with me so I can walk you through each, if you have any issues or problems.

    The second part of your question you ask "What needs to be done to upgrade?" Do you know what version you are currently running? I assume the PEN tester would have advised what version of TLS you are running or not?

    To upgrade/Enable TLS Version 1.2

    Add this information to the ldfi file, if you don't have it then create an ldif file with the following content (i.e. enable_SDS_TLS_1.2.ldif ):

    dn: cn=SSL, cn=Configuration
    changetype: modify
    add: ibm-slapdSecurityProtocol
    ibm-slapdSecurityProtocol: TLS12


    To execute the ldif file, use the following command:

    idsldapmodify -h <host> -p <port> -D <user> -w ? -f enable_SDS_TLS_1.2.ldif


    Hope this helps.

    Enjoy!

    ------------------------------
    Taiyyib Azam
    X-Force Security Consultant
    IBM
    Warwickshire
    07827 902 605
    ------------------------------