[Test scenario]

Set up the servers
# setup-ds-admin.pl

SSL are not enabled.
# egrep -i --color nsSSL3 slapd-ID/dse.ldif
nsSSL3: off
# egrep -i --color NSSCipherSuite admin-serv/console.conf
NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,
 -rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,
 -fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,
 -rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

SSL is set up. (FYI: Script setupssl2.sh is available at http://directory.fedoraproject.org/wiki/Howto:SSL)
# egrep -i --color nsSSL3 slapd-ID/dse.ldif
nsSSL3: on
nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+r
 sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sh
 a,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc
 4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_
 aes_256_sha

DS Console | Configuration | Encryption | Click Cipher: Settings button.


Note: "None None MD5" and "RC4 128 MD5" on SSL 3.0 and "AES 128 SHA" and "AES 256 SHA" are added.

Disable AES 128 SHA.
# egrep tls_rsa_aes_128_sha /etc/dirsrv/slapd-ID/dse.ldif
 4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,-tls_rsa_aes_128_sha,+tls_rsa_

Restart the Console and open Cipher Preference dialog.  AES 128 SHA is still disabled.



Admin Server
AS Console | Configuration | Encryption
Click Enable SSL for this serv.
Click Use this cipher family: RSA
Click Cipher: Settings

SSL2.0


SSL3.0


TLS


ldapsearch ...  -b "cn=encryption,cn=configuration,cn=admin-serv-ID,cn=389 Administration Server,cn=Server Group,cn=FQDN,ou=DN,o=NetscapeRoot" "(cn=*)" nsSSL3Ciphers
...
nsSSL3Ciphers: +rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,
 -rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_a
 es_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha

Disable SSL3.0, RC2 (Export) 40 MD5


ldapsearch ...  -b "cn=encryption,cn=configuration,cn=admin-serv-ID,cn=389 Administration Server,cn=Server Group,cn=FQDN,ou=DN,o=NetscapeRoot" "(cn=*)" nsSSL3Ciphers
...
nsSSL3Ciphers: -rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,
 -rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_a
 es_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha

NSSCipherSuite "-des,-rc2export,-rc4export,-desede3,-rc4,-rc2,-rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,
 +rsa_rc4_40_md5,-rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,-rsa_aes_128_sha,
 +rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha"

Restart the servers and check the values match.

Note: once SSL on AS is enabled, you need to access the AS with https://host:port.