Hi everyone
Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ?
See below why I ask :
I have used the following configuration in my slapd servers for quite a while without any problem :
olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt olcTLSCertificateFile: /etc/openldap/cacerts/server.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key olcTLSCipherSuite: HIGH olcTLSVerifyClient: allow
See for example my configuration for syncrepl (see: tls_reqcert=demand) :
olcSyncrepl: {0}rid=411 provider=ldap://ldap1.example.fr bindmethod=sasl sizelimit=unlimited timeout=0 network-timeout=0 saslmech=external type =refreshAndPersist retry="5 +" starttls=yes tls_cacert=/etc/openldap/cacer ts/CA.crt tls_cert=/etc/openldap/cacerts/replicator.crt tls_key=/etc/openldap /cacerts/replicator.key scope=sub schemachecking=on keepalive=0:0:0 fil ter="(objectclass=*)" searchbase="dc=example,dc=fr" tls_reqcert=demand
-> I have used this for couple of years on my multimastered ldap servers, and until yesterday that worked perfectly : replication was working properly and clients talked with the servers using TLS without any problem.
But I since my certicates were too weak (see this : sha1, 512 bit) :
$ openssl x509 -text -in server.crt
Certificate: Data: Version: 1 (0x0) Serial Number: 13998752034197585248 (0xc2458ece791fbd60) Signature Algorithm: sha1WithRSAEncryption Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap@example.fr Validity Not Before: Dec 29 15:41:56 2011 GMT Not After : Jul 29 15:41:56 2021 GMT
Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN= ldap1.example.fr/emailAddress=ldap@example.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit)
I have renewed them using the same self signed authority to validate them, and of course using exactly the same subject. My new certificate look like this :
$ openssl x509 -text -in server.crt (see this : sha2, 4096 bit) :
Certificate: Data: Version: 1 (0x0) Serial Number: 10208063777793278590 (0x8daa53ebd7e6827e) Signature Algorithm: sha256WithRSAEncryption Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap@example.fr Validity Not Before: Jul 22 15:24:50 2015 GMT Not After : Feb 19 15:24:50 2025 GMT
Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN= ldap1.example.fr/emailAddress=ldap@example.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus:
I installed my new certificate on ldap1 without changing the configuration, and restarting the server here is what I get on ldap4 logs (loglevel = sync ) :
$ tail -f /var/log/ldap.log ... Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr Warning, ldap_start_tls failed (-11) Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr ldap_sasl_interactive_bind_s failed (-2) Jul 22 17:31:10 ldap4 slapd[53489]: do_syncrepl: rid=432 rc -2 retrying Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11) Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6) Jul 22 17:31:15 ldap4-mrs slapd[53489]: do_syncrepl: rid=432 rc -6 retrying
When reinstalling the previous certificates and restarting ldap1 the server I see this appearing in ldap4 logs : ... Jul 22 17:31:20 ldap4-mrs slapd[53489]: do_syncrep2: rid=432 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ? Does openldap tls connections work with certificates sha 256 With RSA Encryption using a 4096 public key length ? May be I missed something ?
(note : I use openssl to manage my certificates)
Thanks for any help.
--- Olivier