Alan Baugher

Which TLS Ciphers are used by CA Directory DSAs?

Discussion created by Alan Baugher Employee on Jul 18, 2018



Using the openssl binary, we can view all ciphers provided by this command line tool.


Using this list, we can test each possible cipher category to a service that has TLS enabled, e.g. an LDAP server or Web Server 


To list all cipher possible with openssl.

Ref:  /docs/man1.1.0/apps/ciphers.html 




openssl ciphers



To test the ciphers, you can execute openssl with the s_client switch.


openssl s_client -cipher RSA -connect vapp0001:20394                  [SUCCESSFUL TEST]



Test with category:  HIGH    ""high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys."


openssl s_client -cipher HIGH  -connect vapp0001:20394    [TEST SUCCESS]



openssl s_client -cipher ECDHE-RSA-AES256-GCM-SHA384 -connect vapp0001:20394     [TEST FAILURE]





You may wish to skip these tests.


openssl s_client -cipher DEFAULT -connect vapp0001:20394

openssl s_client -cipher ALL -connect vapp0001:2039

openssl s_client -cipher NULL -connect vapp0001:20394





Other examples:



openssl s_client -cipher EDH -connect vapp0001:20394



openssl s_client -cipher ECDH -connect vapp0001:20394






Best example of success for latest release of TLSv1.2


openssl s_client -cipher TLSv1.2 -connect vapp0001:20394






To directly view the CA Directory cipher used (if changed from defaults), you may view these files:








To view all active CA Directory DSA cipher, open a DXconsole, and issue the command : get ciphers;

- Or add this setting to CA Directory setting <dsa name>.dxc and issue a dxserver init <dsa name>

- Then view the <dsa-name>-trace.logs.




Ref:  Encryption Formats for SSL - CA Directory - 12.6 - CA Technologies Documentation 





Example to reduce ciphers to TLSv1.2 for CA Directory DSA upon startup:


Edit the DXHOME/config/ssld/impd.dxc   (or default.dxc)

- Update the set ssl = {  section as shown



Validate working with the -d switch for    dxserver -d start  <dsa_name>

- should only see validate TLSv1.2 ciphers.