We have got a vulnerability on the IBM Security directory server version 6.4.0.0,
Can someone advise how to check the protocol version on the ISDS Server? Also what needs to be done to upgrade the version to TLSv1.2?

------------------------------
Thanks,
Venkat
------------------------------

First - you should not be running ISDS 6.4.0.0  IF0025 is just out and you should really go to that level...

I believe the TLS options are described here : https://www.ibm.com/docs/el/sdse/6.4.0?topic=131a-directory-server-instance-ssl-tls-protocols - there is a technote on the subject listing the TLS capabilities here : https://www.ibm.com/support/pages/supported-tls-and-ssl-secure-protocol-versions

You may want to create a support case if this is not enough to understand what is needed :-)

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Tue February 01, 2022 01:59 PM
From: Venkat V
Subject: How to resolve TLS Version 1.0 Protocol Detection vulnerability on ISDS Server?

We have got a vulnerability on the IBM Security directory server version 6.4.0.0,
Can someone advise how to check the protocol version on the ISDS Server? Also what needs to be done to upgrade the version to TLSv1.2?

------------------------------
Thanks,
Venkat
------------------------------

Hi Venkat,

To check TLS Version 1.2

There are a number of ways that you can check the version of TLS running on the IDSD Server using the following tools. You will need the host and port number on which the service is running. 

1. sslscan - sslscan --no-failed <HOST>:PORT_NUMBER
2. openssl - openssl s_client -connect <HOST>:PORT -tls1_2 
3. nmap - nmap -sV --script ssl-enum-ciphers -p PORT <HOST>

Please check in with me so I can walk you through each, if you have any issues or problems.

The second part of your question you ask "What needs to be done to upgrade?" Do you know what version you are currently running? I assume the PEN tester would have advised what version of TLS you are running or not?

To upgrade/Enable TLS Version 1.2

Add this information to the ldfi file, if you don't have it then create an ldif file with the following content (i.e. enable_SDS_TLS_1.2.ldif ):

dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS12

To execute the ldif file, use the following command:

idsldapmodify -h <host> -p <port> -D <user> -w ? -f enable_SDS_TLS_1.2.ldif

Hope this helps.

Enjoy!

------------------------------
Taiyyib Azam
X-Force Security Consultant
IBM
Warwickshire
07827 902 605
------------------------------

Original Message:
Sent: Tue February 01, 2022 01:59 PM
From: Venkat V
Subject: How to resolve TLS Version 1.0 Protocol Detection vulnerability on ISDS Server?

We have got a vulnerability on the IBM Security directory server version 6.4.0.0,
Can someone advise how to check the protocol version on the ISDS Server? Also what needs to be done to upgrade the version to TLSv1.2?

------------------------------
Thanks,
Venkat
------------------------------