OK, then I try to add that attribute TLSecName to my config (OLC) , but it fails :

# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcTLSecName-ECC.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapmodify: wrong attributeType at line 4, entry "cn=config"

the ldif contains

# cat /root/ldifidLdapFm/olcTLSSecName-ECC.ldif
dn: cn=config
changetype: modify
add: olcTLSECName
olcTLSECName: secp256k1

value took from

# openssl ecparam -list_curves
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

I tried also with your proposed value 
X25519:P-256
, it fails the same  way
here is the content of my ECDSA signed certificate

# openssl x509 -in ./cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            89:f9:6a:e3:82:60:1c:91:c3:02:18:ab:a6:f7:ab:60
    Signature Algorithm: ecdsa-with-SHA256

did I missed something ?

thanks .

On 10/12/2024 12:06, Geert Hendrickx wrote:
IIRC OpenLDAP doesn't specify any curve by default for ECDHE.  You need
to specify it explicitly to be able to use ECDHE (and thus ECDSA), eg:

TLSECName X25519:P-256

This is also needed to get ECDHE key exchange with RSA certificates, btw.
So perhaps OpenLDAP should configure a curve (list) by default?

(OpenSSL < 1.0.2 supports only a single curve.  Pick P-256 in that case.)


	Geert


On Tue, Dec 10, 2024 at 11:49:00 +0100, Dirk Kastens wrote:

Hi,

we use certificates with ecdsa-with-SHA256 signature created with certbot on
openldap 2.6 without problems.

Am 10.12.2024 um 11:28 schrieb jehan Procaccia:

Hi

we finally moved from RSA signed certificate to ECDSA signature as it is
the defaults nowdays (https://community.letsencrypt.org/t/ecdsa-
certificates-by-default-and-other-upcoming-changes-in-certbot-2-0/177013)

unfortunatly , slapd doesnt like those certificates :

/ slapd[641]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $/
/mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/
openldap-2.4.44/serve/
/ slapd[641]: main: TLS init def ctx failed: -1/
/ slapd[641]: slapd stopped./

This happened on a server running old openldap 2.4
(openldap-2.4.44-25.el7_9.x86_64)

is there a directive to allow ECDSA certs in slapd (2.4) ?

is it natively supported in up2date versions of openldap 2.5 / 2.6 ?

is there a special directive in certbot to request  slapd certs ?

thanks .


Dirk