SSLv2, SSLv3 and TLS 1.x support in eDirectory and iManager

  • 7017315
  • 01-Mar-2016
  • 17-Aug-2021

Environment

NetIQ eDirectory 9.0.1
NetIQ eDirectory 8.8 SP8 Patch 8
NetIQ iManager 3.0.1
NetIQ iManager 2.7 Sp7 Patch 7
NetIQ LDAP Proxy 1.5.2



CVE-2016-0800 / CVE-2015-7547:  DROWN cross protocol attack on TLS using SSLv2
CVE-2015-3197:  SSLv2 doesn't block disabled ciphers

Situation

Where can a listing be found of current eDirectory, iManager and LDAP Proxy versions and what version of SSL\TLS they support.

Are any of the above products vulnerable to the DROWN attack?   With all the weaknesses found in older SSL protocols, such as SSLv2, administrators are interested to know if current versions of eDirectory still support these and which support the newer protocols like TLS 1.2.

Resolution


eDirectory 8.8 SP8 & 9.0

SSLv2:
  • eDirectory 8.8.8 Linux
    • this protocol has always been disabled and cannot be manually re-enabled.
  • eDirectory 8.8.8 Windows
    • A vulnerability has been found in OpenSSL,  CVE-2015-3197, that allows disabled ciphers to continue to be used by clients.  This has been addressed in 8.8 SP8 Patch 8.
  • eDirectory 9.0
    • By default 9.0 is in FIPS mode which will not allow SSLv2.  However, the server can still be configured to allow it.  This has been resolved in 9.0's first patch, 9.0.1.
NOTE: all earlier versions of eDirectory remain vulnerable.


SSLv3:
  • HTTPS
    • Both eDirectory 8.8 SP8 and 9.0 have SSLv3 disabled by default in their HTTPS stack and it cannot be enabled. 
  • LDAPS
    • 8.8SP8
      • Enabled by default for LDAPS.  SSLv3 support can be disabled in iManager using the LDAP Options role.
    • 9.0.x
      • By default, eDirectory is in FIPS mode which will not allow SSLv3 ciphers.  To disable FIPS mode and allow SSLv3 handshakes, pass n4u.server.fips_tls=0 as a parameter for the ndsconfig set command and restart the server.  Example: ndsconfig set n4u.server.fips=0.

TLSv1.0:

  • 8.8 SP8: this is the highest supported.  If SSLv3 is disabled then only TLS 1.0 is available.
  • 9.0: supports TLS 1.0, 1.1 & 1.2.


TLSv1.1 & 1.2:

  • Only eDirectory 9.0 can support these handshakes.  To configure eDirectory 9.0 to only allow TLS 1.2 please see: TID 7017644




iManager 2.7 SP7 & 3.0


SSLv2:

  • Support for this was removed from iManager years ago.  Therefore, both versions cannot fallback to the old ciphers and are immune to the DROWN vulnerability and CVE-2015-3197.
  • Both 2.7 SP7 & 3.0 have this disabled and it cannot be manually re-enabled.


SSLv3:


TLSv1.0, 1.1 & 1.2:
  • Both iManager 2.7 SP7 and iManager 3.0 support TLS versions 1.0, 1.1 and 1.2.




LDAP Proxy 1.5.2

  • SSLv2:
    • SSLv2 has been completely removed from the 1.5.1 version of the LDAP Proxy.  Therefore, it is immune to the DROWN attack.
  • SSLv3:
    • By default this is disabled.  However, both the back-ends and listener can be configured to listen using SSLv3 if older clients are still in use.
  • TLSv1.0, 1.1 & 1.2:
    • These are all fully supported. 




In summary, the products mentioned above are now immune to Drown.