Re: Unable to change ssl version on openldap 2.6.0

23 Feb 2022


      ...
Le 23 févr. 2022 à 17:49, Quanah Gibson-Mount quanah@fast-mail.org a écrit :
ication we need to drop the ssl version available on
...
...
...
our openldap server.
Currently it supports TLSv1.2, checked with   nmap --script
ssl-enum-ciphers -p 636 host
What ever value I put on olcTLSProtocolmin the ssl version does not
change… I have tried 3.0 3.1 3.2…
What do I miss ?
Or is it a feature ?
What SSL library is your OpenLDAP linked to?
From what I see in config.status
D["HAVE_OPENSSL_SSL_H"]=" 1"
D["HAVE_OPENSSL"]=" 1"
ii  libssl-dev:amd64                      1.1.1f-1ubuntu2.9
amd64        Secure Sockets Layer toolkit - development files ii
libssl1.1:amd64                       1.1.1f-1ubuntu2.9
amd64        Secure Sockets Layer toolkit - shared libraries
Generally I'd look at the output of readelf or ldd on the slapd binary itself.
...
I would note that as documented, olcTLSProtocolMin is N+1, so 3.2 would allow 1.1 or later.  3.2 would restrict it to TLS 1.2 or later.  I'm not sure nmap is actually telling you all supported versions, just that 1.2 is allowed.
I generally test using the openssl s_client command.
It works, I show you :
against 2.4.0 openldap server
nmap --script ssl-enum-ciphers -p 636 <oldldap>
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-23 17:59 CET
Nmap scan report for ldapd.dmzi.ipb.fr (10.220.18.53)
Host is up (0.00051s latency).
rDNS record for 10.220.18.53: ldap.dmzi.ipb.fr
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Key exchange (secp256r1) of lower strength than certificate key
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Key exchange (secp256r1) of lower strength than certificate key
|   TLSv1.2:
|     ciphers:
      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_CCM (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 (rsa 4096) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Key exchange (secp256r1) of lower strength than certificate key
|_  least strength: C
As you see all the ssl version are listed.
And with the 2.6.0 openldap server.
nmap --script ssl-enum-ciphers -p 636  <newserver>
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-23 18:03 CET
Nmap scan report for ldapd2021.dmzi.ipb.fr (10.220.18.61)
Host is up (0.000043s latency).
rDNS record for 10.220.18.61: ldap.bordeaux-inp.fr
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
So as you see when the server accept all prtocols nmap does list all the protocols.
But I have tested with openssl s_client and same result (but longer to get).
I add here the cn=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: slapd.conf
olcConfigDir: slapd.d
olcAllows: bind_v2
olcArgsFile: /usr/local/var/run/slapd/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /usr/local/var/run/slapd/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcServerID: 25 ldap://<ommited>
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSVerifyClient: never
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: c7dfcd66-fe72-103a-8d83-4d2d603596c4
creatorsName: cn=config
createTimestamp: 20210208160225Z
olcTLSCertificateKeyFile: /usr/local/etc/ssl/private/ldap.bordeaux-inp.fr-0001
 /privkey.pem
olcTLSCertificateFile: /usr/local/etc/ssl/certs/ldap.bordeaux-inp.fr-0001/full
 chain.pem
olcTLSProtocolMin: 3.0
olcLogLevel: none
entryCSN: 20220222083441.609985Z#000000#019#000000
modifiersName: cn=config
modifyTimestamp: 20220222083441Z
contextCSN: 20210308104755.920794Z#000000#00e#000000
contextCSN: 20211122120925.101869Z#000000#018#000000
contextCSN: 20220222083441.609985Z#000000#019#000000
So… it still does not work. What can I do ?
f.g.
— 
Frédéric Goudal
Ingénieur Système, DSI Bordeaux-INP
+33 556 84 23 11

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: Unable to change ssl version on openldap 2.6.0