Disabling Ssl 2.0 Protocol; Configuring A Cipher Suite To Use For Ssl/Tls; Installing Trusted Roots And Certifications On The Ifolder Server; Installing Server Certificates From A Known Certificate Authority - Novell IFOLDER 3.X - SECURITY ADMINISTRATOR GUIDE 08-15-2006 Administrator's Manual

2.6 Disabling SSL 2.0 Protocol

The built-in protections of SSL 3.0 for version rollback attacks (where the session is rolled back to
SSL 2.0 even when both client and server support SSL 3.0) are not secure against version-rollback
attackers who can brute force the key and substitute a new ENCRYPTED-KEY-DATA message
containing the same key (but with normal padding) before the application specified wait threshold
has expired. If you disable SSL 2.0 on the server, it is not possible to establish a session using SSL
2.0, and version rollback attacks are not be possible.
For information about disabling SSL 2.0 protocol for the Apache server, see
Cipher Suites for the Apache
For information about configuring strong SSL/TLS security solutions, see
Encryption: How-To (http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html)
site.
2.7 Configuring a Cipher Suite to Use for SSL/
TLS
To ensure strong encryption, we strongly recommend the following configuration for the Apache
server's SSL cipher suite settings.
• Use only High and Medium security cipher suites, such as RC4 and RSA.
• Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-
Hellman (ADH) ciphers.
• Disable the Low, Export, and Null cipher suites unless you need them for other applications.
Do not disable Low and Export cipher suites if they are required by your customer base. Those
using older browsers (4-5 years old) and older versions of Windows such as Windows 98 might
still need those cipher suites for other services.
For information, see "Configuring the SSL Cipher Suites for the Apache
iFolder 3.x Administration
For information about configuring strong SSL/TLS security solutions, see
Encryption: How-To (http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html)
site.
2.8 Installing Trusted Roots and Certifications on
the iFolder server
You should manually install the trusted roots and the directory public key out-of-band. For
information, see "Managing SSL Certificates for
Guide.
2.9 Installing Server Certificates from a Known
Certificate Authority
You should use valid certificates for both the Apache server and the communication between the
Simias server and the Simias client daemon. Simias is the technology underpinning your iFolder
server and client software. You should have the server pubic key signed by a known Certificate
Server" in the Novell iFolder 3.x Administration
Guide.
Apache" in the
"Configuring the SSL
Guide.
SSL/TLS Strong
on the Apache.org Web
Server" in the Novell
SSL/TLS Strong
on the Apache.org Web
Novell iFolder 3.x Administration
Security Best Practices for Novell iFolder 3.x 13