Hello,
I have Redhat 6 where am trying to disable TLSv1.0 protocol.I have tried below configuration
RHEL6
----------------------------------------- [root@ldap1 ~]# rpm -qa | grep -we openldap -we openssl -we nss krb5-pkinit-openssl-1.10.3-10.el6_4.6.x86_64 openldap-servers-2.4.40-12.el6.x86_64 nss-util-3.21.0-2.el6.x86_64 nss-3.21.0-8.el6.x86_64 openssl-devel-1.0.1e-48.el6_8.1.x86_64 openssl-1.0.1e-48.el6_8.1.x86_64 openldap-clients-2.4.40-12.el6.x86_64 nss-softokn-freebl-3.14.3-23.3.el6_8.x86_64 nss-sysinit-3.21.0-8.el6.x86_64 nss-tools-3.21.0-8.el6.x86_64 openldap-2.4.40-12.el6.x86_64
nss-softokn-3.14.3-23.3.el6_8.x86_64 ----------------------------------------------------------------------------
RHEL6 Configuration
---------------------------------------- TLSProtocolMin 3.2 TLSCipherSuite HIGH -----------------------------------------
But still when I ran third party tool to check offered protocol am getting
--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) SPDY/NPN not offered
--> Testing ~standard cipher lists
TLSv1.0 is still offered ,I want to disable TLSv1.0 also
Any suggestiosn?
Hi
I suspect your (RHELs) openldap is not using OpenSSL (check with ldd) , but gnutls instead.
Maybe
https://www.gnutls.org/manual/html_node/Priority-Strings.html
And
http://myatus.com/p/quick-note-disable-sslv3-openldap-gnutls/
Might give you some hints?
If your using RHEL, then you should have a support contract, so you could also ask RedHat?
Best, Kevin
Sent from my iPad
On 30 Sep 2016, at 05:24, Gaurav Swami swamigaurav90@gmail.com wrote:
Hello,
I have Redhat 6 where am trying to disable TLSv1.0 protocol.I have tried below configuration
RHEL6
[root@ldap1 ~]# rpm -qa | grep -we openldap -we openssl -we nss krb5-pkinit-openssl-1.10.3-10.el6_4.6.x86_64 openldap-servers-2.4.40-12.el6.x86_64 nss-util-3.21.0-2.el6.x86_64 nss-3.21.0-8.el6.x86_64 openssl-devel-1.0.1e-48.el6_8.1.x86_64 openssl-1.0.1e-48.el6_8.1.x86_64 openldap-clients-2.4.40-12.el6.x86_64 nss-softokn-freebl-3.14.3-23.3.el6_8.x86_64 nss-sysinit-3.21.0-8.el6.x86_64 nss-tools-3.21.0-8.el6.x86_64 openldap-2.4.40-12.el6.x86_64 nss-softokn-3.14.3-23.3.el6_8.x86_64
RHEL6 Configuration
TLSProtocolMin 3.2 TLSCipherSuite HIGH
But still when I ran third party tool to check offered protocol am getting
--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) SPDY/NPN not offered
--> Testing ~standard cipher lists
TLSv1.0 is still offered ,I want to disable TLSv1.0 also
Any suggestiosn?
-- Thanks & Regards, *Gaurav Swami*
* Gaurav Swami:
I have Redhat 6 where am trying to disable TLSv1.0 protocol.I have tried below configuration
OpenLDAP on Red Hat Enterprise Linux 6 uses NSS, instead of the more standard OpenSSL library. I'm not sure if TLS 1.0 can been turned of in the current version. I think you need to open a support case with Red Hat.
Hello,
regarding this issue there are bugs opened: https://bugzilla.redhat.com/show_bug.cgi?id=1249092 https://bugzilla.redhat.com/show_bug.cgi?id=1249093 https://bugzilla.redhat.com/show_bug.cgi?id=1375432
For further information, please, contact Red Hat Support.
I think this ITS case may be closed now as it is Red Hat specific.
Regards.
Gaurav Swami swamigaurav90@gmail.com writes:
Hello,
I have Redhat 6 where am trying to disable TLSv1.0 protocol.I have tried below configuration
RHEL6
[root@ldap1 ~]# rpm -qa | grep -we openldap -we openssl -we nss krb5-pkinit-openssl-1.10.3-10.el6_4.6.x86_64 openldap-servers-2.4.40-12.el6.x86_64 nss-util-3.21.0-2.el6.x86_64 nss-3.21.0-8.el6.x86_64 openssl-devel-1.0.1e-48.el6_8.1.x86_64 openssl-1.0.1e-48.el6_8.1.x86_64 openldap-clients-2.4.40-12.el6.x86_64 nss-softokn-freebl-3.14.3-23.3.el6_8.x86_64 nss-sysinit-3.21.0-8.el6.x86_64 nss-tools-3.21.0-8.el6.x86_64 openldap-2.4.40-12.el6.x86_64
nss-softokn-3.14.3-23.3.el6_8.x86_64
RHEL6 Configuration
TLSProtocolMin 3.2 TLSCipherSuite HIGH
But still when I ran third party tool to check offered protocol am getting
--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) SPDY/NPN not offered
--> Testing ~standard cipher lists
TLSv1.0 is still offered ,I want to disable TLSv1.0 also
Any suggestiosn?
-- Thanks & Regards, **Gaurav Swami**
openldap-technical@openldap.org
-
Florian Weimer -
Gaurav Swami -
Gregory House -
Matus Honek