Le 22/07/2015 18:27, Olivier a écrit :
Hi everyone

Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ?

See below why I ask :

I have used the following configuration in my slapd servers for quite a while without any problem :

olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt
olcTLSCertificateFile: /etc/openldap/cacerts/server.crt
olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key
olcTLSCipherSuite: HIGH
olcTLSVerifyClient: allow

See for example my configuration for syncrepl (see: tls_reqcert=demand) :

olcSyncrepl: {0}rid=411 provider=ldap://ldap1.example.fr bindmethod=sasl
  sizelimit=unlimited timeout=0 network-timeout=0 saslmech=external type
  =refreshAndPersist retry="5 +" starttls=yes tls_cacert=/etc/openldap/cacer
  ts/CA.crt tls_cert=/etc/openldap/cacerts/replicator.crt tls_key=/etc/openldap
  /cacerts/replicator.key scope=sub schemachecking=on keepalive=0:0:0 fil
  ter="(objectclass=*)" searchbase="dc=example,dc=fr" tls_reqcert=demand

-> I have used this for couple of years on my multimastered ldap servers, and until yesterday that worked perfectly : replication was working properly and clients talked with the servers using TLS without any problem.

But I since my certicates were too weak (see this : sha1, 512 bit) :

$ openssl x509 -text -in server.crt

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 13998752034197585248 (0xc2458ece791fbd60)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap@example.fr
        Validity
            Not Before: Dec 29 15:41:56 2011 GMT
            Not After : Jul 29 15:41:56 2021 GMT

        Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN=ldap1.example.fr/emailAddress=ldap@example.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)


I have renewed them using the same self signed authority to validate them, and of course using exactly the same subject. My new certificate look like this :

$ openssl x509 -text -in server.crt (see this : sha2, 4096 bit) :

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 10208063777793278590 (0x8daa53ebd7e6827e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap@example.fr
        Validity
            Not Before: Jul 22 15:24:50 2015 GMT
            Not After : Feb 19 15:24:50 2025 GMT

        Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN=ldap1.example.fr/emailAddress=ldap@example.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:

I installed my new certificate on ldap1 without changing the configuration, and restarting the server here is what I get  on ldap4 logs (loglevel = sync ) :

$ tail -f /var/log/ldap.log
...
Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11)
Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-2)
Jul 22 17:31:10 ldap4 slapd[53489]: do_syncrepl: rid=432 rc -2 retrying
Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect:
URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11)
Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6)
Jul 22 17:31:15 ldap4-mrs slapd[53489]: do_syncrepl: rid=432 rc -6 retrying

When reinstalling the previous certificates and restarting ldap1 the server I see this appearing in ldap4 logs :
...
Jul 22 17:31:20 ldap4-mrs slapd[53489]: do_syncrep2: rid=432 LDAP_RES_INTERMEDIATE - REFRESH_DELETE

Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ? Does openldap tls connections work with certificates sha 256 With RSA Encryption using a 4096 public key length ? May be I missed something ?

(note : I use openssl to manage my certificates)

Thanks for any help.


Hello Olivier,

as far as I know, there are no limitation on key size in OpenLDAP. You should first try to test your new certificate by querying your LDAP server with openssl s_client. Then you can try to use a higher log level (use at least the 'conns' level) to get more details on the error. Try to request the LDAP server with ldapsearch, first with LDAPS, then with startTLS, and see what happens.


-- 
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS