HI Team,
Hope you can help with this issue.
1)I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3 I added the below entry slapd.conf but when I tried to start slapd it's failing to start
TLSCipherSuite HIGH:MEDIUM:!SSLv2:!SSLV3
errors as below slapd[19899]: main: TLS init def ctx failed: -1 slapd[19899]: slapd stopped. slapd[19899]: connections_destroy: nothing to destroy.
debug logs restart as below
TLS: could not set cipher list HIGH:MEDIUM:!SSLv2:!SSLV3. 617c64c1 main: TLS init def ctx failed: -1 617c64c1 slapd stopped.
2) Also, did anybody notice this issue? I am facing the issue with a group display we have several users in group while looking for groups in getent group we are seeing a few users only not sure if there is any limit on group filed in Database.
Thanks Narayanan Linux Platform Engineering 500 Staples Drive, Framingham MA Office: 508-253-6909 | Mobile: 508-333-4395 [signature_1767107679]
On Fri, 29 Oct 2021, Ballem, Narayanan wrote:
Hope you can help with this issue.
1)I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3 I added the below entry slapd.conf but when I tried to start slapd it's failing to start
TLSCipherSuite HIGH:MEDIUM:!SSLv2:!SSLV3
Yeah, OpenSSL's cipher selector "SSLv3" doesn't mean what you think and does *not* control what TLS *protocol versions* are offered. A different API call is needed and in OpenLDAP that's done with this option:
TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, the SSL handshake will fail. To require TLS 1.x or higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This directive is ignored with GnuTLS.
So, to just disable SSLv3 but support TLSv1.0 and higher use TLSProtocolMin 3.1
(Frankly, you should be pushing *really hard* to require TLSv1.2 as a minimum.)
For TLSCipherSuite you'll then want to use TLSCipherSuite HIGH:MEDIUM
or probably: TLSCipherSuite HIGH
because do you *really* want to permit RC4-MD5, which is part of MEDIUM? If you have clients that require such crappy old ciphers then they *absolutely* need to be updated/replaced.
Philip Guenther
openldap-technical@openldap.org
-
Ballem, Narayanan -
Philip Guenther