Enforce secure communication with TLS 1.2 or higher
389-NS-001 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-NS-001 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | SC-8, SC-8(1), SC-13 |
| DISA SRG | SRG-APP-000014, SRG-APP-000439 |
Rationale¶
LDAP traffic carried without TLS exposes bind credentials and directory data in cleartext to any host positioned for network eavesdropping or man-in-the-middle interception. Even when TLS is enabled, permitting legacy protocol versions (SSLv3, TLS 1.0, TLS 1.1) reintroduces well-documented cryptographic weaknesses - including POODLE, BEAST, and SWEET32 - that allow a capable attacker to decrypt session content or forge messages. Requiring TLS 1.2 as a minimum eliminates those downgrade paths and ensures that all authenticated sessions are protected by a protocol with provably secure handshake and record-layer designs. This control satisfies the transmission-protection and cryptographic-strength requirements of NIST SP 800-53 SC-8, SC-8(1), and SC-13, and is directly assessed by DISA SRG-APP-000014 (data in transit) and SRG-APP-000439 (cryptographic mechanisms).
Check¶
Confirm security (TLS) is enabled and the minimum protocol is TLS 1.2.
dsconf <instance> security get | grep -Ei 'security|tls-protocol-min'
Expected: Security is enabled and the minimum TLS protocol is TLS1.2 or higher.
Remediation¶
Enable security and set the minimum TLS protocol version to 1.2.
dsconf <instance> security set --tls-protocol-min=TLS1.2
dsconf <instance> security enable
dsctl <instance> restart
References¶
Implementation Notes¶
Changing the security configuration requires a server restart to take effect. Ensure a valid server certificate is installed in the NSS database before enabling security, or clients will fail to connect. To force encrypted binds even on the LDAP port, also raise the minimum SSF (see 389-NS-003 notes).