From: mlstarling31@hotmail.com To: fumiyas@osstech.jp; openldap-technical@openldap.org Subject: RE: Redhat LDAP Client Issues when disabling SSLv3 Date: Thu, 23 Oct 2014 10:52:22 -0400
Date: Thu, 23 Oct 2014 11:59:10 +0900 From: fumiyas@osstech.jp To: openldap-technical@openldap.org Subject: Re: Redhat LDAP Client Issues when disabling SSLv3
At Wed, 22 Oct 2014 16:54:24 -0500, Peter Boguszewski wrote:
Thanks for the quick response. I was also messing with the olcTLSProtocolMin settings and seeing similar issues (which are now verified by your answer). It appears as though RHEL 6.x does not support TLS1.1 nor TLS1.2 with the yum installed packages.
OpenLDAP in RHEL 6.x is version 2.4.23 that has a bug, ITS#7645. (See http://www.openldap.org/its/index.cgi?findid=7645)
You must set olcTLSProtocolMin to 769 instead of 3.1 for OpenLDAP 2.4.35 and older.
Cipher suites are not protocol versions. To configure slapd to only negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented in slapd-config(5).
-- -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/ -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA
Thank you Satoh.
I can confirm setting olcTLSProtocolMin 3.1 disabled SSLv3 in the RHEL openldap-2.4.39-8 package.
However,
setting olcTLSProtocolMin 769 on openldap-2.4.23-34.el6_5.1 still allows a successful SSlv3 handshake. Also, olcTLSProtocolMin is not even
documented in the slapd.conf man pages for this version.
I suspect I'm hitting the issue of RHEL openldap being linked against moz_nss and not openssl, therefore olcTLSProtocolMin is ignored in this version.