Hi,
Take a look at TLSCipherSuite
Erik
On Wed, Dec 14, 2022, 07:23 Andre Rodier andre@rodier.me wrote:
Hello,
I have configured OpenLDAP using SSL certificate, but I have a few issues.
Here the TLS configuration, especially "olcTLSProtocolMin: 3.3"
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 c70363a6 dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4 creatorsName: cn=config createTimestamp: 20221213065102Z olcPasswordCryptSaltFormat: $6$%.16s olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt olcTLSProtocolMin: 3.3 entryCSN: 20221214054517.926245Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20221214054517Z
But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ?
root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636 Version: 2.0.7 OpenSSL 1.1.1n 15 Mar 2022
Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4
Testing SSL server ldap.homebox.world on port 636 using SNI name
ldap.homebox.world
SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 enabled TLSv1.1 enabled TLSv1.2 enabled TLSv1.3 enabled
TLS Fallback SCSV: Server supports TLS Fallback SCSV
TLS renegotiation: Secure session renegotiation supported
TLS Compression: OpenSSL version does not support compression Rebuild with zlib1g-dev package for zlib support
Heartbleed: TLSv1.3 not vulnerable to heartbleed TLSv1.2 not vulnerable to heartbleed TLSv1.1 not vulnerable to heartbleed TLSv1.0 not vulnerable to heartbleed
Supported Server Cipher(s): Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519
DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519
DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519
DHE 253
Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519
DHE 253
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519
DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519
DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519
DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519
DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519
DHE 253
Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-CCM Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-CCM Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 128 bits AES128-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519
DHE 253
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519
DHE 253
Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 128 bits AES128-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519
DHE 253
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519
DHE 253
Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 128 bits AES128-SHA
Server Key Exchange Group(s): TLSv1.3 128 bits secp256r1 (NIST P-256) TLSv1.3 192 bits secp384r1 (NIST P-384) TLSv1.3 260 bits secp521r1 (NIST P-521) TLSv1.3 128 bits x25519 TLSv1.3 224 bits x448 TLSv1.3 112 bits ffdhe2048 TLSv1.3 128 bits ffdhe3072 TLSv1.3 150 bits ffdhe4096 TLSv1.3 175 bits ffdhe6144 TLSv1.3 192 bits ffdhe8192 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits x25519 TLSv1.2 224 bits x448
SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048
Subject: ldap.homebox.world Altnames: DNS:ldap.homebox.world Issuer: (STAGING) Artificial Apricot R3
Not valid before: Dec 13 05:34:29 2022 GMT Not valid after: Mar 13 05:34:28 2023 GMT
Thanks for your insights.
Andre