Hi everyone
Question : are there some limitations (key size, encryption
algorithm, etc.) for certificates used by openldap to manage
TLS connexions ?
See below why I ask :
I have used the following configuration in my slapd servers
for quite a while without any problem :
olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt
olcTLSCertificateFile: /etc/openldap/cacerts/server.crt
olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key
olcTLSCipherSuite: HIGH
olcTLSVerifyClient: allow
See for example my configuration for syncrepl (see:
tls_reqcert=demand) :
olcSyncrepl: {0}rid=411 provider=
ldap://ldap1.example.fr
bindmethod=sasl
sizelimit=unlimited timeout=0 network-timeout=0
saslmech=external type
=refreshAndPersist retry="5 +" starttls=yes
tls_cacert=/etc/openldap/cacer
ts/CA.crt tls_cert=/etc/openldap/cacerts/replicator.crt
tls_key=/etc/openldap
/cacerts/replicator.key scope=sub schemachecking=on
keepalive=0:0:0 fil
ter="(objectclass=*)" searchbase="dc=example,dc=fr"
tls_reqcert=demand
-> I have used this for couple of years on my
multimastered ldap servers, and until yesterday that worked
perfectly : replication was working properly and clients
talked with the servers using TLS without any problem.
But I since my certicates were too weak (see this : sha1,
512 bit) :
$ openssl x509 -text -in server.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13998752034197585248
(0xc2458ece791fbd60)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT,
CN=ldap/emailAddress=
ldap@example.fr
Validity
Not Before: Dec 29 15:41:56 2011 GMT
Not After : Jul 29 15:41:56 2021 GMT
Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN=
ldap1.example.fr/emailAddress=ldap@example.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
I have renewed them using the same self signed authority to
validate them, and of course using exactly the same subject.
My new certificate look like this :
$ openssl x509 -text -in server.crt (see this : sha2, 4096
bit) :
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 10208063777793278590
(0x8daa53ebd7e6827e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT,
CN=ldap/emailAddress=
ldap@example.fr
Validity
Not Before: Jul 22 15:24:50 2015 GMT
Not After : Feb 19 15:24:50 2025 GMT
Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN=
ldap1.example.fr/emailAddress=ldap@example.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
I installed my new certificate on ldap1 without changing the
configuration, and restarting the server here is what I get
on ldap4 logs (loglevel = sync ) :
$ tail -f /var/log/ldap.log
...
Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect:
URI=
ldap://ldap1.example.fr Warning,
ldap_start_tls failed (-11)
Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect:
URI=
ldap://ldap1.example.fr
ldap_sasl_interactive_bind_s failed (-2)
Jul 22 17:31:10 ldap4 slapd[53489]: do_syncrepl: rid=432 rc -2
retrying
Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect:
URI=
ldap://ldap1.example.fr Warning,
ldap_start_tls failed (-11)
Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect:
URI=
ldap://ldap1.example.fr
ldap_sasl_interactive_bind_s failed (-6)
Jul 22 17:31:15 ldap4-mrs slapd[53489]: do_syncrepl: rid=432
rc -6 retrying
When reinstalling the previous certificates and restarting
ldap1 the server I see this appearing in ldap4 logs :
...
Jul 22 17:31:20 ldap4-mrs slapd[53489]: do_syncrep2: rid=432
LDAP_RES_INTERMEDIATE - REFRESH_DELETE
Question : are there some limitations (key size, encryption
algorithm, etc.) for certificates used by openldap to manage
TLS connexions ? Does openldap tls connections work with
certificates sha 256 With RSA Encryption using a 4096 public
key length ? May be I missed something ?
(note : I use openssl to manage my certificates)
Thanks for any help.