On 14/12/2022 07:32, Erik de Waard wrote:
> Hi,
>
> Take a look at TLSCipherSuite
>
> Erik
>
> On Wed, Dec 14, 2022, 07:23 Andre Rodier <andre@rodier.me <mailto:andre@rodier.me>> wrote:
>
> Hello,
>
> I have configured OpenLDAP using SSL certificate, but I have a few issues.
>
> Here the TLS configuration, especially "olcTLSProtocolMin: 3.3"
>
> > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> > # CRC32 c70363a6
> > dn: cn=config
> > objectClass: olcGlobal
> > cn: config
> > olcArgsFile: /var/run/slapd/slapd.args
> > olcLogLevel: none
> > olcPidFile: /var/run/slapd/slapd.pid
> > olcToolThreads: 1
> > structuralObjectClass: olcGlobal
> > entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4
> > creatorsName: cn=config
> > createTimestamp: 20221213065102Z
> > olcPasswordCryptSaltFormat: $6$%.16s
> > olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt
> > olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key
> > olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt
> > olcTLSProtocolMin: 3.3
> > entryCSN: 20221214054517.926245Z#000000#000#000000
> > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > modifyTimestamp: 20221214054517Z
>
> But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ?
>
> > root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636
> > Version: 2.0.7
> > OpenSSL 1.1.1n 15 Mar 2022
> >
> > Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4
> >
> > Testing SSL server ldap.homebox.world on port 636 using SNI name ldap.homebox.world
> >
> > SSL/TLS Protocols:
> > SSLv2 disabled
> > SSLv3 disabled
> > TLSv1.0 enabled
> > TLSv1.1 enabled
> > TLSv1.2 enabled
> > TLSv1.3 enabled
> >
> > TLS Fallback SCSV:
> > Server supports TLS Fallback SCSV
> >
> > TLS renegotiation:
> > Secure session renegotiation supported
> >
> > TLS Compression:
> > OpenSSL version does not support compression
> > Rebuild with zlib1g-dev package for zlib support
> >
> > Heartbleed:
> > TLSv1.3 not vulnerable to heartbleed
> > TLSv1.2 not vulnerable to heartbleed
> > TLSv1.1 not vulnerable to heartbleed
> > TLSv1.0 not vulnerable to heartbleed
> >
> > Supported Server Cipher(s):
> > Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
> > Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
> > Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
> > Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253
> > Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
> > Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253
> > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
> > Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
> > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
> > Accepted TLSv1.2 256 bits AES256-GCM-SHA384
> > Accepted TLSv1.2 256 bits AES256-CCM
> > Accepted TLSv1.2 128 bits AES128-GCM-SHA256
> > Accepted TLSv1.2 128 bits AES128-CCM
> > Accepted TLSv1.2 256 bits AES256-SHA
> > Accepted TLSv1.2 128 bits AES128-SHA
> > Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
> > Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
> > Accepted TLSv1.1 256 bits AES256-SHA
> > Accepted TLSv1.1 128 bits AES128-SHA
> > Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
> > Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
> > Accepted TLSv1.0 256 bits AES256-SHA
> > Accepted TLSv1.0 128 bits AES128-SHA
> >
> > Server Key Exchange Group(s):
> > TLSv1.3 128 bits secp256r1 (NIST P-256)
> > TLSv1.3 192 bits secp384r1 (NIST P-384)
> > TLSv1.3 260 bits secp521r1 (NIST P-521)
> > TLSv1.3 128 bits x25519
> > TLSv1.3 224 bits x448
> > TLSv1.3 112 bits ffdhe2048
> > TLSv1.3 128 bits ffdhe3072
> > TLSv1.3 150 bits ffdhe4096
> > TLSv1.3 175 bits ffdhe6144
> > TLSv1.3 192 bits ffdhe8192
> > TLSv1.2 128 bits secp256r1 (NIST P-256)
> > TLSv1.2 192 bits secp384r1 (NIST P-384)
> > TLSv1.2 260 bits secp521r1 (NIST P-521)
> > TLSv1.2 128 bits x25519
> > TLSv1.2 224 bits x448
> >
> > SSL Certificate:
> > Signature Algorithm: sha256WithRSAEncryption
> > RSA Key Strength: 2048
> >
> > Subject: ldap.homebox.world
> > Altnames: DNS:ldap.homebox.world
> > Issuer: (STAGING) Artificial Apricot R3
> >
> > Not valid before: Dec 13 05:34:29 2022 GMT
> > Not valid after: Mar 13 05:34:28 2023 GMT
>
> Thanks for your insights.
>
> Andre
>
Well, actually, this is the next issue.
For instance, here the LDIF file I use:
> dn: cn=config
> add: olcTLSCACertificateFile
> olcTLSCACertificateFile: /etc/ssl/certs/ldap.homebox.world.issuer.crt
> -
> add: olcTLSCertificateFile
> olcTLSCertificateFile: /etc/ssl/certs/ldap.homebox.world.crt
> -
> add: olcTLSCertificateKeyFile
> olcTLSCertificateKeyFile: /etc/ssl/private/ldap.homebox.world.key
> -
> add: olcTLSProtocolMin
> olcTLSProtocolMin: 3.3
> -
> add: olcTLSCipherSuite
> olcTLSCipherSuite: HIGH
And then, when I try to set the cipher suite:
> root@main:/etc/ldap/changes# ldapmodify -QY EXTERNAL -H ldapi:/// -d 99 -f /etc/ldap/changes/ssl-config.ldif
> ldap_url_parse_ext(ldapi:///)
> ldap_create
> ldap_url_parse_ext(ldapi:///??base)
> ldap_sasl_interactive_bind: user selected: EXTERNAL
> ldap_int_sasl_bind: EXTERNAL
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_path
> ldap_new_socket: 4
> ldap_connect_to_path: Trying /var/run/slapd/ldapi
> ldap_connect_timeout: fd: 4 tm: -1 async: 0
> ldap_ndelay_on: 4
> ldap_ndelay_off: 4
> ldap_int_sasl_open: host=main
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({i) ber:
> ber_flush2: 26 bytes to sd > ldap_write: want=26, written=26
> 0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`..........
> 0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL..
> ldap_msgfree
> ldap_result ld 0x5615325c7bd0 msgid 1
> wait4msg ld 0x5615325c7bd0 msgid 1 (infinite timeout)
> wait4msg continue ld 0x5615325c7bd0 msgid 1 all 1
> ** ld 0x5615325c7bd0 Connections:
> * host: (null) port: 0 (default)
> refcnt: 2 status: Connected
> last used: Wed Dec 14 05:47:30 2022
>
>
> ** ld 0x5615325c7bd0 Outstanding Requests:
> * msgid 1, origid 1, status InProgress
> outstanding referrals 0, parent count 0
> ld 0x5615325c7bd0 request count 1 (abandoned 0)
> ** ld 0x5615325c7bd0 Response Queue:
> Empty
> ld 0x5615325c7bd0 response count 0
> ldap_chkResponseList ld 0x5615325c7bd0 msgid 1 all 1
> ldap_chkResponseList returns ld 0x5615325c7bd0 NULL
> ldap_int_select
> read1msg: ld 0x5615325c7bd0 msgid 1 all 1
> ber_get_next
> ldap_read: want=8, got=8
> 0000: 30 0c 02 01 01 61 07 0a 0....a..
> ldap_read: want=6, got=6
> 0000: 01 00 04 00 04 00 ......
> ber_get_next: tag 0x30 len 12 contents:
> read1msg: ld 0x5615325c7bd0 msgid 1 message type bind
> ber_scanf fmt ({eAA) ber:
> read1msg: ld 0x5615325c7bd0 0 new referrals
> read1msg: mark request completed, ld 0x5615325c7bd0 msgid 1
> request done: ld 0x5615325c7bd0 msgid 1
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_int_sasl_bind: EXTERNAL
> ldap_parse_sasl_bind_result
> ber_scanf fmt ({eAA) ber:
> ldap_parse_result
> ber_scanf fmt ({iAA) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> modifying entry "cn=config"
> ldap_modify_ext
> ldap_send_initial_request
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 54 bytes to sd 4
> ldap_write: want=54, written=54
> 0000: 30 34 02 01 02 66 2f 04 09 63 6e 3d 63 6f 6e 66 04...f/..cn=conf
> 0010: 69 67 30 22 30 20 0a 01 00 30 1b 04 11 6f 6c 63 ig0"0 ...0...olc
> 0020: 54 4c 53 43 69 70 68 65 72 53 75 69 74 65 31 06 TLSCipherSuite1.
> 0030: 04 04 48 49 47 48 ..HIGH
> ldap_result ld 0x5615325c7bd0 msgid 2
> wait4msg ld 0x5615325c7bd0 msgid 2 (timeout 100000 usec)
> wait4msg continue ld 0x5615325c7bd0 msgid 2 all 1
> ** ld 0x5615325c7bd0 Connections:
> * host: (null) port: 0 (default)
> refcnt: 2 status: Connected
> last used: Wed Dec 14 05:47:30 2022
>
>
> ** ld 0x5615325c7bd0 Outstanding Requests:
> * msgid 2, origid 2, status InProgress
> outstanding referrals 0, parent count 0
> ld 0x5615325c7bd0 request count 1 (abandoned 0)
> ** ld 0x5615325c7bd0 Response Queue:
> Empty
> ld 0x5615325c7bd0 response count 0
> ldap_chkResponseList ld 0x5615325c7bd0 msgid 2 all 1
> ldap_chkResponseList returns ld 0x5615325c7bd0 NULL
> ldap_int_select
> read1msg: ld 0x5615325c7bd0 msgid 2 all 1
> ber_get_next
> ldap_read: want=8, got=8
> 0000: 30 0c 02 01 02 67 07 0a 0....g..
> ldap_read: want=6, got=6
> 0000: 01 50 04 00 04 00 .P....
> ber_get_next: tag 0x30 len 12 contents:
> read1msg: ld 0x5615325c7bd0 msgid 2 message type modify
> ber_scanf fmt ({eAA) ber:
> read1msg: ld 0x5615325c7bd0 0 new referrals
> read1msg: mark request completed, ld 0x5615325c7bd0 msgid 2
> request done: ld 0x5615325c7bd0 msgid 2
> res_errno: 80, res_error: <>, res_matched: <>
> ldap_free_request (origid 2, msgid 2)
> ldap_parse_result
> ber_scanf fmt ({iAA) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> ldap_err2string
> ldap_modify: Other (e.g., implementation specific) error (80)
>
> ldap_free_connection 1 1
> ldap_send_unbind
> ber_flush2: 7 bytes to sd 4
> ldap_write: want=7, written=7
> 0000: 30 05 02 01 03 42 00 0....B.
> ldap_free_connection: actually freed
I have the (in)famous "Other (e.g., implementation specific) error (80)"
I also tried the example given here: https://access.redhat.com/articles/1474813
> EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
But same "implementation specific error"
However, if I remove the cipher suite, the ldap modify command is working.
Thanks for any advice.