Re: Locking down ciphers in OpenLDAP with GnuTLS
On Thu, Feb 07, 2019 at 04:50:58PM +0000, Philip Colmer wrote:
So, just to confirm, do I need to provide a colon-separated list of
each
and every cipher suite or is there a GnuTLS shorthand that I can use?
See https://gnutls.org/manual/html_node/Priority-Strings.html for a list
of keywords.
I think you are likely looking for something like (completely untested):
NORMAL:-VERS-ALL:+VERS-TLS1.2
For debugging priority strings and checking what they enable, you can
use gnutls-cli:
gnutls-cli --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -l
For example I noticed this way that mine doesn't understand
"VERS-TLS1.3" yet.
I'll mention as well since this came up in IRC recently - if you have
Ubuntu 14.04 systems in your network still, be aware that its gnutls
package has trouble with TLS1.2: https://bugs.launchpad.net/bugs/1444656
Hope this helps,
Ryan