Hi all, I'm running version 2.4.49 on Ubuntu 20.04. I've been unable to add the olcTLSCipherSuite configuration attribute.
# ldapmodify -H ldapi:// -Y EXTERNAL -f set-ciphersuite.ldif
returns:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
set-ciphersuite.ldif contains the following:
dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: ALL
I was able to successfully configure (and confirmed working) TLS by setting the following attributes:
olcTLSCACertificateFile: /etc/ssl/certs/mydomain.fullchain.pem olcTLSCertificateFile: /etc/ssl/certs/mydomain.cert.pem olcTLSCertificateKeyFile: /etc/ssl/private/mydomain.privkey.pem
and was just looking to limit which ciphers would be offered.
I've found several discussions (here, on stackoverflow, etc.) that mention this error, but those discussions concerned these latter TLS attributes (which I had no problem adding) and not the olcTLSCipherSuite attribute. They also pointed to file permissions being the issue for the certificate files, which I've confirmed is not an issue. I would be grateful if anyone could point me in the right direction
Ben
On Fri, Nov 27, 2020 at 01:58:36PM -0800, Benjamin Schneider wrote:
Hi all, I'm running version 2.4.49 on Ubuntu 20.04. I've been unable to add the olcTLSCipherSuite configuration attribute.
# ldapmodify -H ldapi:// -Y EXTERNAL -f set-ciphersuite.ldif
returns:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
set-ciphersuite.ldif contains the following:
dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: ALL
The openldap packages in Ubuntu use GnuTLS as the TLS library, not OpenSSL. Therefore the value of olcTLSCipherSuite has to be a GnuTLS priority string, not an OpenSSL cipher list.
https://gnutls.org/manual/html_node/Priority-Strings.html
You might also be interested in olcTLSProtocolMin.
On Mon, Nov 30, 2020 at 9:09 AM Ryan Tandy ryan@nardis.ca wrote:
The openldap packages in Ubuntu use GnuTLS as the TLS library, not OpenSSL. Therefore the value of olcTLSCipherSuite has to be a GnuTLS priority string, not an OpenSSL cipher list.
Confirmed. This was indeed the problem. Thank you!
On Mon, Nov 30, 2020 at 9:09 AM Ryan Tandy ryan@nardis.ca wrote:
On Fri, Nov 27, 2020 at 01:58:36PM -0800, Benjamin Schneider wrote:
Hi all, I'm running version 2.4.49 on Ubuntu 20.04. I've been unable to add the olcTLSCipherSuite configuration attribute.
# ldapmodify -H ldapi:// -Y EXTERNAL -f set-ciphersuite.ldif
returns:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
set-ciphersuite.ldif contains the following:
dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: ALL
The openldap packages in Ubuntu use GnuTLS as the TLS library, not OpenSSL. Therefore the value of olcTLSCipherSuite has to be a GnuTLS priority string, not an OpenSSL cipher list.
https://gnutls.org/manual/html_node/Priority-Strings.html
You might also be interested in olcTLSProtocolMin.
openldap-technical@openldap.org
-
Benjamin Schneider -
Ryan Tandy