--On Thursday, December 01, 2016 6:24 PM +0000 David Ward daward@Brocade.COM wrote:
Hi David,
I'm looking for a test method to restrict the level of TLS used with slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the undocumented command 'TLSProtocolMin' to require minimum strength. I would like to disable certain version.
I'm unclear what you mean by undocumented. It is clearly documented in the slapd.conf(5) man page (for 2.4.44), which you can freely view on the OpenLDAP.org website:
TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This directive is ignored with GnuTLS.
There is not, as far as I know, any way to fine tune things beyond this (I.e., accept TLS 1.1 and TLS 1.3, but not TLS 1.2).
Hope that helps!
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On Thu, 1 Dec 2016, Quanah Gibson-Mount wrote: ...
There is not, as far as I know, any way to fine tune things beyond this (I.e., accept TLS 1.1 and TLS 1.3, but not TLS 1.2).
Right, because the on-the-wire protocol itself just carries a single version number, so if a client only supports a discontiguous set of versions then negotiation can fail despite there being a common supported version. Indeed, recent enough releases of OpenSSL automatically prevent that on the client side: /* * SSL_OP_NO_X disables all protocols above X *if* there are * some protocols below X enabled. This is required in order * to maintain "version capability" vector contiguous. So * that if application wants to disable TLS1.0 in favour of * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. */
And now in OpenSSL 1.1.0 the use of the SSL_OP_NO_TLSv1* options is deprecated in favor of new SSL_CTX_set_{min,max}_proto_version() APIs, making it impossible at the API level to specify discontiguous sets of versions.
Philip Guenther
On Thu, 1 Dec 2016, David Ward daward@Brocade.COM wrote:
I'm looking for a test method to restrict the level of TLS used with slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the undocumented command 'TLSProtocolMin' to require minimum strength. I would like to disable certain version.
OpenLDAP doesn't provide any way to turn off support for the highest protocol version supported by the OpenSSL it is built against. If you build against a modern OpenSSL, you get TLS 1.2 no matter what. If you need to test client operation against a server that doesn't support TLS 1.2 then you'll need to hack OpenLDAP to disable it, perhaps adding a TLSProtocolMax option to your tree.
Philip Guenther
That's unfortunate. I had found the freeradius command that provided that functionality(disable_tlsv1_2 = yes), and was hoping there would be something similar or openldap. The reference to it not being documented was more of a pointer to the thread, where I saw the code snippet for what looked like the feature I needed.
-David
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@symas.com] Sent: Thursday, December 01, 2016 1:31 PM To: David Ward daward@Brocade.COM; openldap-technical@openldap.org Subject: Re: restrict openldap TLS version
--On Thursday, December 01, 2016 6:24 PM +0000 David Ward daward@Brocade.COM wrote:
Hi David,
I'm looking for a test method to restrict the level of TLS used with slapd. I'm running ver 2.4.40 which supports TLS 1.2. I see the undocumented command 'TLSProtocolMin' to require minimum strength. I would like to disable certain version.
I'm unclear what you mean by undocumented. It is clearly documented in the slapd.conf(5) man page (for 2.4.44), which you can freely view on the OpenLDAP.org website:
TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This directive is ignored with GnuTLS.
There is not, as far as I know, any way to fine tune things beyond this (I.e., accept TLS 1.1 and TLS 1.3, but not TLS 1.2).
Hope that helps!
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DgIC... c=IL_XqQWOjubgfqINi2jTzg&r=puVQPEL4OAOfXPfBV9pguYCDqWBdNNSewb8Sk_RDtcw&m=SdL SOSNRFjvbZgM10Twnx5j9Knfg5O4VGEzvUR2tWXY&s=W7z4aHwz_y1M6GVeNlw9u17_47QPWv4Wm j_9Nn5U_bw&e= >
openldap-technical@openldap.org
-
David Ward -
Philip Guenther -
Quanah Gibson-Mount