On Wed, Dec 14, 2022 at 2:42 AM Andre Rodier andre@rodier.me wrote:
... Well, actually, this is the next issue.
For instance, here the LDIF file I use:
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/ldap.homebox.world.issuer.crt ...
I have the (in)famous "Other (e.g., implementation specific) error (80)"
I also tried the example given here: https://access.redhat.com/articles/1474813
EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
Mozilla offers a tool called Configuration Generator to help with cipher suite strings at https://ssl-config.mozilla.org/.
If you want a firm posture while using a string like shown above, try the following. I've been using it for years without trouble.
"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"
Here's the breakdown:
* HIGH - higher strength ciphers and key sizes. I believe this includes only 128-bit block ciphers with 128- or 256-bit keys. * !aNULL - no anonymous protocols or cipher suites * !kRSA - no key transport (RSA encryption), but allow server authentication with RSA (RSA signatures) * !PSK, !SRP - remove unneeded algorithms * !MD5, !RC4 - remove weak/wounded algorithms that may show up
Ironically, SRP and PSK are some of the stronger cipher suites in terms of security because they provide channel binding. But they are rarely used. Binding the channel means the client and server authentication are intertwined with the communication channel setup. If the client or server fails to authenticate, then the channel setup fails. An interception proxy or DLP will fail to setup the channel, and a user will know there's an active MitM.
The browsers hate SRP and PSK because they can't MitM the comms. The browsers prefer transport schemes like basic_auth, where a secret can be passed around.
But same "implementation specific error"
However, if I remove the cipher suite, the ldap modify command is working.
Jeff