Hi

 

I’m attempting to modify the TLS ciphers that are used in an openldap2-2.4.41-22.16.1.x86_64 environment in our lab, running on SLES 12 SP5. I’ve used the following command to set the cipher list value to the returned value of ‘openssl ciphers HIGH’:

 

ldpdd041:/tmp # cat set-ciphersuite.ldif

dn: cn=config

changetype: modify

add: olcTLSCipherSuite

olcTLSCipherSuite: HIGH

ldpdd041:/tmp # ldapmodify -H ldapi:// -Y EXTERNAL -f set-ciphersuite.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

 

ldpdd041:/tmp # openssl ciphers HIGH

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA

ldpdd041:/tmp #

 

So I had expected to see that all of these ciphers were being offered for use by the OpenLDAP server; instead, I see that only a subset of the list is offered:

 

sslyze ldpdd041.hop.lab.emc.com:636

.

.

.

 

* TLS 1.0 Cipher Suites:

     Attempted to connect using 80 cipher suites.

 

     The server accepted the following 4 cipher suites:

        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 256

        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 128

        TLS_RSA_WITH_AES_256_CBC_SHA                      256

        TLS_RSA_WITH_AES_128_CBC_SHA                      128

 

     The group of cipher suites supported by the server has the following properties:

       Forward Secrecy                    INSECURE - Not Supported

       Legacy RC4 Algorithm               OK - Not Supported

 

 

* TLS 1.1 Cipher Suites:

     Attempted to connect using 80 cipher suites.

 

     The server accepted the following 4 cipher suites:

        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 256

        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 128

        TLS_RSA_WITH_AES_256_CBC_SHA                      256

        TLS_RSA_WITH_AES_128_CBC_SHA                      128

 

     The group of cipher suites supported by the server has the following properties:

       Forward Secrecy                    INSECURE - Not Supported

       Legacy RC4 Algorithm               OK - Not Supported

 

 

* TLS 1.2 Cipher Suites:

     Attempted to connect using 156 cipher suites.

 

     The server accepted the following 8 cipher suites:

        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 256

        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 128

        TLS_RSA_WITH_AES_256_GCM_SHA384                   256

        TLS_RSA_WITH_AES_256_CBC_SHA256                   256

        TLS_RSA_WITH_AES_256_CBC_SHA                      256

        TLS_RSA_WITH_AES_128_GCM_SHA256                   128

        TLS_RSA_WITH_AES_128_CBC_SHA256                   128

        TLS_RSA_WITH_AES_128_CBC_SHA                      128

 

I believe I know why the DHE-based ciphers are not being offered: I haven’t enabled use of the olcTLSDHParamFile directive. Rather than mess around with generating the DH param file, etc., I’d like to use ECDHE-based ciphers. According to p. 160 of https://www.openldap.org/doc/admin24/OpenLDAP-Admin-Guide.pdf, the ‘TLSECName’ directive allows an ECDHE curve to be specified. When I tried to enable use of the directive, I received a ‘wrong attibuteType’ error:

 

ldpdd041:/tmp # cat set-ecname.ldif

dn: cn=config

changetype: modify

add: olcTLSECName

olcTLSECName : secp384r1

ldpdd041:/tmp # ldapmodify -H ldapi:// -Y EXTERNAL -f set-ecname.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

ldapmodify: wrong attributeType at line 4, entry "cn=config"

ldpdd041:/tmp #

 

Does OpenLDAP 2.4.41 not support this directive?

 

Thanks

tl

 

 

 

 

Terry Lemons

Senior Principal Software Engineer, Dell EMC

Dell Technologies | Data Management

Terry.Lemons@dell.com

 


Internal Use - Confidential