Thanks for the quick response. I was also messing with the olcTLSProtocolMin settings and seeing similar issues (which are now verified by your answer). It appears as though RHEL 6.x does not support TLS1.1 nor TLS1.2 with the yum installed packages.
Pete
On 10/22/2014 4:29 PM, Philip Guenther wrote:
On Wed, 22 Oct 2014, Peter Boguszewski wrote:
I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6) when attempting to disable SSLv3. I have compiled the servers with the --with-tls=openssl option and communication appears to be working well between servers to matter what I have for SSL Protocol. My problems are with the clients.
For client configuration I install the openldap-clients package via yum install. Everything works as expected with this setting on the server side:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2
as soon as I modify the +SSLv3 to -SSLv3 to this:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
the client no longer works.
Cipher suites are not protocol versions. To configure slapd to only negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented in slapd-config(5).
If you want to understand what what your cipher suite specification was doing then you should
read the ciphers(1) manpage (or maybe the CIPHERS section of the openssl(1) manpage), and
test them with the "openssl ciphers -v" ciphers command, ala openssl ciphers -v HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
You'll quickly find out that "TLSv1.1" isn't a valid specifier, nor is "TLSv1.0", and ciphers covered by "SSLv3" are also used by TLS. Your last request therefore disabled all the pre-TLSv1.2 ciphers.
To require TLSv1.0 or higher with 128bit and longer ciphers you probably just want: olcTLSProtocolMin: 3.1 olcTLSCipherSuite: HIGH
...
Is there a solution to LDAP auth for RHEL clients with only allowind TLSv1.2? I will gladly compile from source or use the LTB Project rpms.
It seems your client systems don't actually support the TLSv1.2 ciphers. You'll need to fix that by building against a crypto library which actually supports them before you can try to require it.
Philip