On Fri, 29 Oct 2021, Ballem, Narayanan wrote:
Hope you can help with this issue.
1)I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3 I added the below entry slapd.conf but when I tried to start slapd it's failing to start
TLSCipherSuite HIGH:MEDIUM:!SSLv2:!SSLV3
Yeah, OpenSSL's cipher selector "SSLv3" doesn't mean what you think and does *not* control what TLS *protocol versions* are offered. A different API call is needed and in OpenLDAP that's done with this option:
TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This directive is ignored with GnuTLS.
So, to just disable SSLv3 but support TLSv1.0 and higher use TLSProtocolMin 3.1
(Frankly, you should be pushing *really hard* to require TLSv1.2 as a minimum.)
For TLSCipherSuite you'll then want to use TLSCipherSuite HIGH:MEDIUM
or probably: TLSCipherSuite HIGH
because do you *really* want to permit RC4-MD5, which is part of MEDIUM? If you have clients that require such crappy old ciphers then they *absolutely* need to be updated/replaced.
Philip Guenther