On 14/12/2022 07:32, Erik de Waard wrote:
Hi,
Take a look at TLSCipherSuite
Erik
On Wed, Dec 14, 2022, 07:23 Andre Rodier <andre@rodier.me mailto:andre@rodier.me> wrote:
Hello, I have configured OpenLDAP using SSL certificate, but I have a few issues. Here the TLS configuration, especially "olcTLSProtocolMin: 3.3" > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. > # CRC32 c70363a6 > dn: cn=config > objectClass: olcGlobal > cn: config > olcArgsFile: /var/run/slapd/slapd.args > olcLogLevel: none > olcPidFile: /var/run/slapd/slapd.pid > olcToolThreads: 1 > structuralObjectClass: olcGlobal > entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4 > creatorsName: cn=config > createTimestamp: 20221213065102Z > olcPasswordCryptSaltFormat: $6$%.16s > olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt > olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key > olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt > olcTLSProtocolMin: 3.3 > entryCSN: 20221214054517.926245Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20221214054517Z But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ? > root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636 > Version: 2.0.7 > OpenSSL 1.1.1n 15 Mar 2022 > > Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4 > > Testing SSL server ldap.homebox.world on port 636 using SNI name ldap.homebox.world > > SSL/TLS Protocols: > SSLv2 disabled > SSLv3 disabled > TLSv1.0 enabled > TLSv1.1 enabled > TLSv1.2 enabled > TLSv1.3 enabled > > TLS Fallback SCSV: > Server supports TLS Fallback SCSV > > TLS renegotiation: > Secure session renegotiation supported > > TLS Compression: > OpenSSL version does not support compression > Rebuild with zlib1g-dev package for zlib support > > Heartbleed: > TLSv1.3 not vulnerable to heartbleed > TLSv1.2 not vulnerable to heartbleed > TLSv1.1 not vulnerable to heartbleed > TLSv1.0 not vulnerable to heartbleed > > Supported Server Cipher(s): > Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 > Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits AES256-GCM-SHA384 > Accepted TLSv1.2 256 bits AES256-CCM > Accepted TLSv1.2 128 bits AES128-GCM-SHA256 > Accepted TLSv1.2 128 bits AES128-CCM > Accepted TLSv1.2 256 bits AES256-SHA > Accepted TLSv1.2 128 bits AES128-SHA > Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 256 bits AES256-SHA > Accepted TLSv1.1 128 bits AES128-SHA > Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 256 bits AES256-SHA > Accepted TLSv1.0 128 bits AES128-SHA > > Server Key Exchange Group(s): > TLSv1.3 128 bits secp256r1 (NIST P-256) > TLSv1.3 192 bits secp384r1 (NIST P-384) > TLSv1.3 260 bits secp521r1 (NIST P-521) > TLSv1.3 128 bits x25519 > TLSv1.3 224 bits x448 > TLSv1.3 112 bits ffdhe2048 > TLSv1.3 128 bits ffdhe3072 > TLSv1.3 150 bits ffdhe4096 > TLSv1.3 175 bits ffdhe6144 > TLSv1.3 192 bits ffdhe8192 > TLSv1.2 128 bits secp256r1 (NIST P-256) > TLSv1.2 192 bits secp384r1 (NIST P-384) > TLSv1.2 260 bits secp521r1 (NIST P-521) > TLSv1.2 128 bits x25519 > TLSv1.2 224 bits x448 > > SSL Certificate: > Signature Algorithm: sha256WithRSAEncryption > RSA Key Strength: 2048 > > Subject: ldap.homebox.world > Altnames: DNS:ldap.homebox.world > Issuer: (STAGING) Artificial Apricot R3 > > Not valid before: Dec 13 05:34:29 2022 GMT > Not valid after: Mar 13 05:34:28 2023 GMT Thanks for your insights. Andre
Well, actually, this is the next issue.
For instance, here the LDIF file I use:
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/ldap.homebox.world.issuer.crt
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap.homebox.world.crt
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap.homebox.world.key
add: olcTLSProtocolMin olcTLSProtocolMin: 3.3
add: olcTLSCipherSuite olcTLSCipherSuite: HIGH
And then, when I try to set the cipher suite:
root@main:/etc/ldap/changes# ldapmodify -QY EXTERNAL -H ldapi:/// -d 99 -f /etc/ldap/changes/ssl-config.ldif ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 4 ldap_connect_to_path: Trying /var/run/slapd/ldapi ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_ndelay_on: 4 ldap_ndelay_off: 4 ldap_int_sasl_open: host=main ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 26 bytes to sd > ldap_write: want=26, written=26 0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`.......... 0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL.. ldap_msgfree ldap_result ld 0x5615325c7bd0 msgid 1 wait4msg ld 0x5615325c7bd0 msgid 1 (infinite timeout) wait4msg continue ld 0x5615325c7bd0 msgid 1 all 1 ** ld 0x5615325c7bd0 Connections:
- host: (null) port: 0 (default) refcnt: 2 status: Connected last used: Wed Dec 14 05:47:30 2022
** ld 0x5615325c7bd0 Outstanding Requests:
- msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0
ld 0x5615325c7bd0 request count 1 (abandoned 0) ** ld 0x5615325c7bd0 Response Queue: Empty ld 0x5615325c7bd0 response count 0 ldap_chkResponseList ld 0x5615325c7bd0 msgid 1 all 1 ldap_chkResponseList returns ld 0x5615325c7bd0 NULL ldap_int_select read1msg: ld 0x5615325c7bd0 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 61 07 0a 0....a.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x5615325c7bd0 msgid 1 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x5615325c7bd0 0 new referrals read1msg: mark request completed, ld 0x5615325c7bd0 msgid 1 request done: ld 0x5615325c7bd0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind: EXTERNAL ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree modifying entry "cn=config" ldap_modify_ext ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 54 bytes to sd 4 ldap_write: want=54, written=54 0000: 30 34 02 01 02 66 2f 04 09 63 6e 3d 63 6f 6e 66 04...f/..cn=conf 0010: 69 67 30 22 30 20 0a 01 00 30 1b 04 11 6f 6c 63 ig0"0 ...0...olc 0020: 54 4c 53 43 69 70 68 65 72 53 75 69 74 65 31 06 TLSCipherSuite1. 0030: 04 04 48 49 47 48 ..HIGH ldap_result ld 0x5615325c7bd0 msgid 2 wait4msg ld 0x5615325c7bd0 msgid 2 (timeout 100000 usec) wait4msg continue ld 0x5615325c7bd0 msgid 2 all 1 ** ld 0x5615325c7bd0 Connections:
- host: (null) port: 0 (default) refcnt: 2 status: Connected last used: Wed Dec 14 05:47:30 2022
** ld 0x5615325c7bd0 Outstanding Requests:
- msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0
ld 0x5615325c7bd0 request count 1 (abandoned 0) ** ld 0x5615325c7bd0 Response Queue: Empty ld 0x5615325c7bd0 response count 0 ldap_chkResponseList ld 0x5615325c7bd0 msgid 2 all 1 ldap_chkResponseList returns ld 0x5615325c7bd0 NULL ldap_int_select read1msg: ld 0x5615325c7bd0 msgid 2 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 02 67 07 0a 0....g.. ldap_read: want=6, got=6 0000: 01 50 04 00 04 00 .P.... ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x5615325c7bd0 msgid 2 message type modify ber_scanf fmt ({eAA) ber: read1msg: ld 0x5615325c7bd0 0 new referrals read1msg: mark request completed, ld 0x5615325c7bd0 msgid 2 request done: ld 0x5615325c7bd0 msgid 2 res_errno: 80, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string ldap_modify: Other (e.g., implementation specific) error (80)
ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 4 ldap_write: want=7, written=7 0000: 30 05 02 01 03 42 00 0....B. ldap_free_connection: actually freed
I have the (in)famous "Other (e.g., implementation specific) error (80)"
I also tried the example given here: https://access.redhat.com/articles/1474813
EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
But same "implementation specific error"
However, if I remove the cipher suite, the ldap modify command is working.
Thanks for any advice.