Hello,
I have configured OpenLDAP using SSL certificate, but I have a few issues.
Here the TLS configuration, especially "olcTLSProtocolMin: 3.3"
> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> # CRC32 c70363a6
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /var/run/slapd/slapd.args
> olcLogLevel: none
> olcPidFile: /var/run/slapd/slapd.pid
> olcToolThreads: 1
> structuralObjectClass: olcGlobal
> entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4
> creatorsName: cn=config
> createTimestamp: 20221213065102Z
> olcPasswordCryptSaltFormat: $6$%.16s
> olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt
> olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key
> olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt
> olcTLSProtocolMin: 3.3
> entryCSN: 20221214054517.926245Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20221214054517Z
But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ?
> root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636
> Version: 2.0.7
> OpenSSL 1.1.1n 15 Mar 2022
>
> Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4
>
> Testing SSL server ldap.homebox.world on port 636 using SNI name ldap.homebox.world
>
> SSL/TLS Protocols:
> SSLv2 disabled
> SSLv3 disabled
> TLSv1.0 enabled
> TLSv1.1 enabled
> TLSv1.2 enabled
> TLSv1.3 enabled
>
> TLS Fallback SCSV:
> Server supports TLS Fallback SCSV
>
> TLS renegotiation:
> Secure session renegotiation supported
>
> TLS Compression:
> OpenSSL version does not support compression
> Rebuild with zlib1g-dev package for zlib support
>
> Heartbleed:
> TLSv1.3 not vulnerable to heartbleed
> TLSv1.2 not vulnerable to heartbleed
> TLSv1.1 not vulnerable to heartbleed
> TLSv1.0 not vulnerable to heartbleed
>
> Supported Server Cipher(s):
> Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
> Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
> Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
> Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253
> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
> Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253
> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
> Accepted TLSv1.2 256 bits AES256-GCM-SHA384
> Accepted TLSv1.2 256 bits AES256-CCM
> Accepted TLSv1.2 128 bits AES128-GCM-SHA256
> Accepted TLSv1.2 128 bits AES128-CCM
> Accepted TLSv1.2 256 bits AES256-SHA
> Accepted TLSv1.2 128 bits AES128-SHA
> Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
> Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
> Accepted TLSv1.1 256 bits AES256-SHA
> Accepted TLSv1.1 128 bits AES128-SHA
> Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
> Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
> Accepted TLSv1.0 256 bits AES256-SHA
> Accepted TLSv1.0 128 bits AES128-SHA
>
> Server Key Exchange Group(s):
> TLSv1.3 128 bits secp256r1 (NIST P-256)
> TLSv1.3 192 bits secp384r1 (NIST P-384)
> TLSv1.3 260 bits secp521r1 (NIST P-521)
> TLSv1.3 128 bits x25519
> TLSv1.3 224 bits x448
> TLSv1.3 112 bits ffdhe2048
> TLSv1.3 128 bits ffdhe3072
> TLSv1.3 150 bits ffdhe4096
> TLSv1.3 175 bits ffdhe6144
> TLSv1.3 192 bits ffdhe8192
> TLSv1.2 128 bits secp256r1 (NIST P-256)
> TLSv1.2 192 bits secp384r1 (NIST P-384)
> TLSv1.2 260 bits secp521r1 (NIST P-521)
> TLSv1.2 128 bits x25519
> TLSv1.2 224 bits x448
>
> SSL Certificate:
> Signature Algorithm: sha256WithRSAEncryption
> RSA Key Strength: 2048
>
> Subject: ldap.homebox.world
> Altnames: DNS:ldap.homebox.world
> Issuer: (STAGING) Artificial Apricot R3
>
> Not valid before: Dec 13 05:34:29 2022 GMT
> Not valid after: Mar 13 05:34:28 2023 GMT
Thanks for your insights.
Andre