Hi all - As part of routine security remediation my company asked me to remove the support for older TLS versions from my LDAP server. To this effect I restarted the service after running the following:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -a -f olcTLSProtocolMin.ldif
Here is the content of olcTLSProtocolMin.ldif
dn: cn=config changetype: modify add: olcTLSProtocolMin olcTLSProtocolMin: 3.3
When I look at the /etc/ldap/slapd.d/cn=config.ldif file I can see the olcTLSProtocolMin: 3.3 entry. however, when I scan the LDAP server using Nessus, the scanner reports older versions of TLS still available. Also if I scan the supported TLS version using nmap it also reports TLS1.0-TLS1.2
If it helps here is the cn=config.ldif file is here dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: stats sync
olcPidFile: /var/run/slapd/slapd.pid
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/my_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/my_slapd_key.pem
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: SomeUUID
creatorsName: cn=config
createTimestamp: 20160311213839Z
olcTLSProtocolMin: 3.3
entryCSN: 20220601202658.429433Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber
Any help will be greatly appreciated.
JRosario
--On Friday, June 3, 2022 9:02 PM +0000 juan@quantifind.com wrote:
Hi all - As part of routine security remediation my company asked me to remove the support for older TLS versions from my LDAP server. To this effect I restarted the service after running the following:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -a -f olcTLSProtocolMin.ldif
Here is the content of olcTLSProtocolMin.ldif
dn: cn=config changetype: modify add: olcTLSProtocolMin olcTLSProtocolMin: 3.3
Hello,
You've not specified which TLS library the slapd you are using is linked to. As documented in the slapd.conf(5) and slapd-config(5) man pages, setting a minimum protocol version only works with slapd binaries that are linked to OpenSSL. If the deployment is linked to some other SSL library it is not possible to use this setting to limit the TLS protocol version. It may be possible via other methods if the slapd binary is linked to GnuTLS, I strongly advise reading the man pages for further information.
Regards, Quanah
Hi Quanah - I am not sure how to determine which TLS library is slapd linked to. Could you point me in the right direction so I can verify if we are using GnuTLS?
--On Monday, June 6, 2022 5:04 PM +0000 juan@quantifind.com wrote:
Hi Quanah - I am not sure how to determine which TLS library is slapd linked to. Could you point me in the right direction so I can verify if we are using GnuTLS?
Are you using a build provided by a distribution? For example, OpenLDAP builds provided by the Debian and Ubuntu distributions currently use GnuTLS. You can always use a command like ldd to see what SSL library slapd is linked to and go from there, assuming the SSL library is dynamic and not static.
--Quanah
Absolutely! We are using the Ubuntu distribution and the ldd command shows the library. Thanks for the help --JRosario
openldap-technical@openldap.org