Hi everyone
Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ?
See below why I ask :
I have used the following configuration in my slapd servers for quite a while without any problem :
olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt olcTLSCertificateFile: /etc/openldap/cacerts/server.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key olcTLSCipherSuite: HIGH olcTLSVerifyClient: allow
See for example my configuration for syncrepl (see: tls_reqcert=demand) :
olcSyncrepl: {0}rid=411 provider=ldap://ldap1.example.fr bindmethod=sasl sizelimit=unlimited timeout=0 network-timeout=0 saslmech=external type =refreshAndPersist retry="5 +" starttls=yes tls_cacert=/etc/openldap/cacer ts/CA.crt tls_cert=/etc/openldap/cacerts/replicator.crt tls_key=/etc/openldap /cacerts/replicator.key scope=sub schemachecking=on keepalive=0:0:0 fil ter="(objectclass=*)" searchbase="dc=example,dc=fr" tls_reqcert=demand
-> I have used this for couple of years on my multimastered ldap servers, and until yesterday that worked perfectly : replication was working properly and clients talked with the servers using TLS without any problem.
But I since my certicates were too weak (see this : sha1, 512 bit) :
$ openssl x509 -text -in server.crt
Certificate: Data: Version: 1 (0x0) Serial Number: 13998752034197585248 (0xc2458ece791fbd60) Signature Algorithm: sha1WithRSAEncryption Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap@example.fr Validity Not Before: Dec 29 15:41:56 2011 GMT Not After : Jul 29 15:41:56 2021 GMT
Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN= ldap1.example.fr/emailAddress=ldap@example.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit)
I have renewed them using the same self signed authority to validate them, and of course using exactly the same subject. My new certificate look like this :
$ openssl x509 -text -in server.crt (see this : sha2, 4096 bit) :
Certificate: Data: Version: 1 (0x0) Serial Number: 10208063777793278590 (0x8daa53ebd7e6827e) Signature Algorithm: sha256WithRSAEncryption Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap@example.fr Validity Not Before: Jul 22 15:24:50 2015 GMT Not After : Feb 19 15:24:50 2025 GMT
Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN= ldap1.example.fr/emailAddress=ldap@example.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus:
I installed my new certificate on ldap1 without changing the configuration, and restarting the server here is what I get on ldap4 logs (loglevel = sync ) :
$ tail -f /var/log/ldap.log ... Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr Warning, ldap_start_tls failed (-11) Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr ldap_sasl_interactive_bind_s failed (-2) Jul 22 17:31:10 ldap4 slapd[53489]: do_syncrepl: rid=432 rc -2 retrying Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11) Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6) Jul 22 17:31:15 ldap4-mrs slapd[53489]: do_syncrepl: rid=432 rc -6 retrying
When reinstalling the previous certificates and restarting ldap1 the server I see this appearing in ldap4 logs : ... Jul 22 17:31:20 ldap4-mrs slapd[53489]: do_syncrep2: rid=432 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ? Does openldap tls connections work with certificates sha 256 With RSA Encryption using a 4096 public key length ? May be I missed something ?
(note : I use openssl to manage my certificates)
Thanks for any help.
--- Olivier
Le 22/07/2015 18:27, Olivier a écrit :
Hi everyone
Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ?
See below why I ask :
I have used the following configuration in my slapd servers for quite a while without any problem :
olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt olcTLSCertificateFile: /etc/openldap/cacerts/server.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key olcTLSCipherSuite: HIGH olcTLSVerifyClient: allow
See for example my configuration for syncrepl (see: tls_reqcert=demand) :
olcSyncrepl: {0}rid=411 provider=ldap://ldap1.example.fr http://ldap1.example.fr bindmethod=sasl sizelimit=unlimited timeout=0 network-timeout=0 saslmech=external type =refreshAndPersist retry="5 +" starttls=yes tls_cacert=/etc/openldap/cacer ts/CA.crt tls_cert=/etc/openldap/cacerts/replicator.crt tls_key=/etc/openldap /cacerts/replicator.key scope=sub schemachecking=on keepalive=0:0:0 fil ter="(objectclass=*)" searchbase="dc=example,dc=fr" tls_reqcert=demand
-> I have used this for couple of years on my multimastered ldap servers, and until yesterday that worked perfectly : replication was working properly and clients talked with the servers using TLS without any problem.
But I since my certicates were too weak (see this : sha1, 512 bit) :
$ openssl x509 -text -in server.crt
Certificate: Data: Version: 1 (0x0) Serial Number: 13998752034197585248 (0xc2458ece791fbd60) Signature Algorithm: sha1WithRSAEncryption Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap@example.fr mailto:ldap@example.fr Validity Not Before: Dec 29 15:41:56 2011 GMT Not After : Jul 29 15:41:56 2021 GMT
Subject: C=fr, ST=IDF, L=Town, O=example,
OU=IT,CN=ldap1.example.fr/emailAddress=ldap@example.fr http://ldap1.example.fr/emailAddress=ldap@example.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit)
I have renewed them using the same self signed authority to validate them, and of course using exactly the same subject. My new certificate look like this :
$ openssl x509 -text -in server.crt (see this : sha2, 4096 bit) :
Certificate: Data: Version: 1 (0x0) Serial Number: 10208063777793278590 (0x8daa53ebd7e6827e) Signature Algorithm: sha256WithRSAEncryption Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap@example.fr mailto:ldap@example.fr Validity Not Before: Jul 22 15:24:50 2015 GMT Not After : Feb 19 15:24:50 2025 GMT
Subject: C=fr, ST=IDF, L=Town, O=example,
OU=IT,CN=ldap1.example.fr/emailAddress=ldap@example.fr http://ldap1.example.fr/emailAddress=ldap@example.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus:
I installed my new certificate on ldap1 without changing the configuration, and restarting the server here is what I get on ldap4 logs (loglevel = sync ) :
$ tail -f /var/log/ldap.log ... Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr http://ldap1.example.fr Warning, ldap_start_tls failed (-11) Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr http://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-2) Jul 22 17:31:10 ldap4 slapd[53489]: do_syncrepl: rid=432 rc -2 retrying Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr http://ldap1.example.fr Warning, ldap_start_tls failed (-11) Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr http://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6) Jul 22 17:31:15 ldap4-mrs slapd[53489]: do_syncrepl: rid=432 rc -6 retrying
When reinstalling the previous certificates and restarting ldap1 the server I see this appearing in ldap4 logs : ... Jul 22 17:31:20 ldap4-mrs slapd[53489]: do_syncrep2: rid=432 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ? Does openldap tls connections work with certificates sha 256 With RSA Encryption using a 4096 public key length ? May be I missed something ?
(note : I use openssl to manage my certificates)
Thanks for any help.
Hello Olivier,
as far as I know, there are no limitation on key size in OpenLDAP. You should first try to test your new certificate by querying your LDAP server with openssl s_client. Then you can try to use a higher log level (use at least the 'conns' level) to get more details on the error. Try to request the LDAP server with ldapsearch, first with LDAPS, then with startTLS, and see what happens.
openldap-technical@openldap.org