Honor Cipher List

Honor Cipher List
A TLS encrypted endpoint will have a cipher list specified, if none is specified then a default is used. When the Honor Server Cipher List option is enabled, the server determines which cipher suite the client will use. When this is disabled, the client can decide which cipher suite to use. It is insecure for the client to choose a cipher suite, as an attacker can then choose a weaker encryption to exploit. See Specifying a Server Protocol and Cipher Suite Preference for more information.

Configuration options

ESCWA

To ensure the ESCWA network endpoint will honor the server cipher list, use ESCWA to perform the following steps:

  1. Click

    This opens the Enterprise Server Administration Configuration dialog box.

  2. Expand Server Settings
  3. Click TLS Settings.
  4. Expand Advanced.
  5. Check Honor Server Cipher List
  6. Click Apply.
  7. Restart the ESCWA process.
Directory Server

To ensure a Directory Server network endpoint will honor the server cipher list, use ESCWA to perform the following steps:

  1. In the top menu bar, click Native.
  2. In the Native Navigation pane, expand Directory Server.
  3. Click the directory server you require, then click Properties > Connection.

    This takes you to the Connections Properties page.

  4. Check Enable TLS.
  5. Check Use Custom Certificates.
  6. Expand Advanced.
  7. Check Honor Server Cipher List.
  8. Click Apply.
  9. Restart the Directory Server process.
Communications Process

To ensure a region's Communications Process' network endpoint will honor the server cipher list, use ESCWA to perform the following steps:

  1. In the top menu bar, click Native.
  2. In the Native Navigation pane, expand Directory Server.
  3. Click the region you require.
  4. Click General > Listeners.

    This opens the Communications Server Properties page.

  5. In the Native Listener Navigation pane, click the Communications Process you require.
  6. Expand Configure.
  7. Click TLS Settings.
  8. Check Enable TLS.
  9. In the Certificate File field, type the location of the TLS certificate on the machine where this region runs.
  10. In the Keyfile field, type the location of the TLS key on the machine where this region runs.
  11. In the Server CA Root Certificate File field, type the location of the server CA root certificate on the machine where this region runs.
  12. Expand Advanced.
  13. Check Honor Server Cipher List.
  14. Click Apply.
  15. Restart the region so the changes are applied.

See To Configure the Passphrase in a File for more information on setting the keyfile passphrase.

Next time the region is started, the network endpoint will be TLS enabled.

Listener

To ensure a region's listener's network endpoint will honor the server cipher list, use ESCWA to perform the following steps:

  1. In the top menu bar, click Native.
  2. In the Native Navigation pane, expand Directory Server.
  3. Click the region you require.
  4. Click General > Listeners.

    This opens the Communications Server Properties page.

  5. In the Native Listener Navigation pane, click the listener you require.
  6. Click TLS Settings.
  7. Check Enable TLS.
  8. In the Certificate File field, type the location of the TLS certificate on the machine where this region runs.
  9. In the Keyfile field, type the location of the TLS key on the machine where this region runs.
  10. Expand Advanced.
  11. Check Honor Server Cipher List.
  12. Click Apply.
  13. Restart the region so the changes are applied.

Next time the region is started, the network endpoint will be TLS enabled.

Parent topic: Configuration Report