IBM Support

Certain TLS 1.0/1.1 ciphers are now disabled by default for secure LDAP connections.

Troubleshooting


Problem

Several TLS ciphers are vulnerable to "CVE-2016-2183, Sweet32: Birthday attacks on 64-bit block ciphers in TLS." These ciphers are disabled by default in ClearQuest for secure LDAP connections.

Symptom

Unable to log in to ClearQuest via LDAP authentication if one of these ciphers is used.

Cause

See the "Resolving the problem" section.

Resolving The Problem

Prior to this release ClearQuest had the following ciphers enabled by default, for TLS 1.0/TLS 1.1:

cipher: Hex value:
SLAPD_SSL_RC4_MD5_EX "03"
SLAPD_SSL_RC2_MD5_EX "06"
SLAPD_SSL_RC4_SHA_US "05"
SLAPD_SSL_RC4_MD5_US "04"
SLAPD_SSL_DES_SHA_US "09"
SLAPD_SSL_3DES_SHA_US "0A"
SLAPD_SSL_AES_128_SHA_US "2F"
SLAPD_SSL_AES_256_SHA_US "35"

Note that SSLV3 is disabled by default. To enable it, see the technote http://www.ibm.com/support/docview.wss?uid=swg21689920.

ClearQuest now has the following TLS 1.1/TLS 1.0 ciphers enabled by default:

SLAPD_SSL_AES_128_SHA_US "2F"
SLAPD_SSL_AES_256_SHA_US "35"

To enable other TLS 1.0 and TLS 1.1 ciphers, the '-S' and '-c' parameters can be used in the LDAP initialization string that it is defined by the installutil setldapinit command. For more information, see the installutil setldapinit topic in the IBM Knowledge Center.

  • -S refers to LDAP_OPT_SSL_SECURITY_PROTOCOL, and can be set to a value of SSLV3, TLS10, TLS11 and TLS12, or multiple values of them connected by a comma. See the above note about SSLV3 usage.
  • -c refers to LDAP_OPT_SSL_CIPHER, or the ciphers available for TLS 1.0, TLS 1.1 and SSLV3. It has a long list of supporting values that are described above, and can be set to multiple concatenated values. Refer to your LDAP server administrator for the values of this option.

Note: -C refers to LDAP_OPT_SSL_CIPHER_EX or the ciphers available for TLS 1.2. To use TLS 1.2, see the technote http://www-01.ibm.com/support/docview.wss?uid=swg21646724.

Example:

installutil setldapinit 8.0.0 admin "" "-h ldapserver -Z -K 'win:c:\key.kdb;unix:/tmp/key.kdb' -S TLS10,TLS11 -c 05042F35"

[{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"User Administration - LDAP","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0.1.1;9.0.1;9.0.0.5;8.0.1.15","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
14 July 2023

UID

swg22004124