Hi
I’m attempting to modify the TLS ciphers that are used in an openldap2-2.4.41-22.16.1.x86_64 environment in our lab, running on SLES 12 SP5. I’ve used the following command to set the cipher list value to the returned value of ‘openssl ciphers HIGH’:
ldpdd041:/tmp # cat set-ciphersuite.ldif dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: HIGH ldpdd041:/tmp # ldapmodify -H ldapi:// -Y EXTERNAL -f set-ciphersuite.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
ldpdd041:/tmp # openssl ciphers HIGH ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA ldpdd041:/tmp #
So I had expected to see that all of these ciphers were being offered for use by the OpenLDAP server; instead, I see that only a subset of the list is offered:
sslyze ldpdd041.hop.lab.emc.com:636 . . .
* TLS 1.0 Cipher Suites: Attempted to connect using 80 cipher suites.
The server accepted the following 4 cipher suites: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 TLS_RSA_WITH_AES_256_CBC_SHA 256 TLS_RSA_WITH_AES_128_CBC_SHA 128
The group of cipher suites supported by the server has the following properties: Forward Secrecy INSECURE - Not Supported Legacy RC4 Algorithm OK - Not Supported
* TLS 1.1 Cipher Suites: Attempted to connect using 80 cipher suites.
The server accepted the following 4 cipher suites: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 TLS_RSA_WITH_AES_256_CBC_SHA 256 TLS_RSA_WITH_AES_128_CBC_SHA 128
The group of cipher suites supported by the server has the following properties: Forward Secrecy INSECURE - Not Supported Legacy RC4 Algorithm OK - Not Supported
* TLS 1.2 Cipher Suites: Attempted to connect using 156 cipher suites.
The server accepted the following 8 cipher suites: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 TLS_RSA_WITH_AES_256_GCM_SHA384 256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 TLS_RSA_WITH_AES_256_CBC_SHA 256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 TLS_RSA_WITH_AES_128_CBC_SHA256 128 TLS_RSA_WITH_AES_128_CBC_SHA 128
I believe I know why the DHE-based ciphers are not being offered: I haven’t enabled use of the olcTLSDHParamFile directive. Rather than mess around with generating the DH param file, etc., I’d like to use ECDHE-based ciphers. According to p. 160 of https://www.openldap.org/doc/admin24/OpenLDAP-Admin-Guide.pdf, the ‘TLSECName’ directive allows an ECDHE curve to be specified. When I tried to enable use of the directive, I received a ‘wrong attibuteType’ error:
ldpdd041:/tmp # cat set-ecname.ldif dn: cn=config changetype: modify add: olcTLSECName olcTLSECName : secp384r1 ldpdd041:/tmp # ldapmodify -H ldapi:// -Y EXTERNAL -f set-ecname.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldapmodify: wrong attributeType at line 4, entry "cn=config" ldpdd041:/tmp #
Does OpenLDAP 2.4.41 not support this directive?
Thanks tl
Terry Lemons Senior Principal Software Engineer, Dell EMC Dell Technologies | Data Management Terry.Lemons@dell.commailto:Terry.Lemons@dell.com
Internal Use - Confidential
--On> ldpdd041:/tmp # cat set-ecname.ldif
dn: cn=config
changetype: modify
add: olcTLSECName
olcTLSECName : secp384r1
The above does not appear to be a valid ldap modify statement. In particular, you seem to have a space that should not be there.
I.e.,
olcTLSSECName: secp38r41
NOT
olcTLSSECName : secp384r1
--Quanah
Hi Quanah
Great catch! I removed the extra space and my previous error disappeared.
Thanks for the help! tl
Internal Use - Confidential
-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Wednesday, April 19, 2023 6:37 PM To: Lemons, Terry; openldap-technical@openldap.org Subject: Re: Use of olcTLSECName directive returns 'wrong attibuteType' error
[EXTERNAL EMAIL]
--On> ldpdd041:/tmp # cat set-ecname.ldif
dn: cn=config
changetype: modify
add: olcTLSECName
olcTLSECName : secp384r1
The above does not appear to be a valid ldap modify statement. In particular, you seem to have a space that should not be there.
I.e.,
olcTLSSECName: secp38r41
NOT
olcTLSSECName : secp384r1
--Quanah
On Wed, 19 Apr 2023, Lemons, Terry wrote:
I’m attempting to modify the TLS ciphers that are used in an openldap2-2.4.41-22.16.1.x86_64 environment in our lab, running on SLES 12 SP5. I’ve used the following command to set the cipher list value to the returned value of ‘openssl ciphers HIGH’:
ldpdd041:/tmp # cat set-ciphersuite.ldif dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: HIGH ldpdd041:/tmp # ldapmodify -H ldapi:// -Y EXTERNAL -f set-ciphersuite.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
ldpdd041:/tmp # openssl ciphers HIGH ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA ldpdd041:/tmp #
So I had expected to see that all of these ciphers were being offered for use by the OpenLDAP server; instead, I see that only a subset of the list is offered:
You're on the right trail for why the ciphers using the EDH/DHE and ECDHE key-exchange methods are not being offered.
In addition, the authentication method of a cipher, as reported in the 4th column of "openssl ciphers -v" output, may imply a requirement for a specific type of certificate or other credential. In particular, the au=RSA ciphers require a cert+key for an RSA keypair, while au=DSS requires a DSS keypair and au=ECDSA reuqires an ECDSA cert, etc. I don't believe slapd supports configuring multiple cert+key pairs; if that's correct then you'll be limited to only supporting a subset of the ciphers at any given time.
WARNING: you see those ADH-* ciphers in your list, like ADH-AES256-GCM-SHA384? Be aware that those are _unauthenticated_ ciphers suites. Since they don't authenticate the server (no cert used at all), they are subject to Machine-in-the-Middle attack.
(In openssl-style cipher specs, 'HIGH' is only a requirement on the symmeteric cipher strength and says nothing about other security properties like authentication and forward-security. In practice, if any sort of confidential data in on the server or non-anonymous binds are used then you should almost certainly either a) list the specific ciphers you want to permit, or b) at the very least exclude unauthenticated ciphers, ala olcTLSCipherSuite: HIGH!aNULL
If you believe you know what you're doing is safe then sure, go wild...)
Philip Guenther
Hi Philip
Thanks very much for this educational reply. I only enabled use of the 'HIGH' keyword during this debugging period. I plan to name several strong ciphers explicitly, once I get things working.
Looking at https://man7.org/linux/man-pages/man5/slapd-config.5.html, I see the ' olcTLSECName ' directive documented:
olcTLSDHParamFile: <filename> This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on the server, or an RSA certificate missing the "key encipherment" key usage. Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non- default cipher suites. Anonymous key exchanges should generally be avoided since they provide no actual client or server authentication and provide no protection against man-in-the-middle attacks. You should append "!ADH" to your cipher suites to ensure that these suites are not used.
olcTLSECName: <name> Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman ephemeral key exchange. This option is only used for OpenSSL. This option is not used with GnuTLS; the curves may be chosen in the GnuTLS ciphersuite specification.
olcTLSProtocolMin: <major>[.<minor>]
but in the slapd-config man page that comes with the openldap2-2.4.41-22.16.1.x86_64 distribution available in SLES 12 SP5, I don't see that directive documented:
olcTLSDHParamFile: <filename> This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on the server. If multiple sets of parameters are present in the file, all of them will be processed. Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. You should append "!ADH" to your cipher suites if you have changed them from the default, otherwise no certificate exchanges or verification will be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly so this directive is ignored.
olcTLSProtocolMin: <major>[.<minor>]
And, it appears that this directive is unknown in my environment:
ldpdd041:/tmp # cat set-ecname.ldif dn: cn=config changetype: modify add: olcTLSECName olcTLSECName: secp384r1 ldpdd041:/tmp # ldapmodify -H ldapi:// -Y EXTERNAL -f set-ecname.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Undefined attribute type (17) additional info: olcTLSECName: attribute type undefined
ldpdd041:/tmp #
Is this expected?
Thanks! tl
Internal Use - Confidential
-----Original Message----- From: Philip Guenther pguenther@proofpoint.com Sent: Wednesday, April 19, 2023 7:18 PM To: Lemons, Terry Cc: openldap-technical@openldap.org Subject: Re: Use of olcTLSECName directive returns ‘wrong attibuteType’ error
[EXTERNAL EMAIL]
On Wed, 19 Apr 2023, Lemons, Terry wrote:
I’m attempting to modify the TLS ciphers that are used in an openldap2-2.4.41-22.16.1.x86_64 environment in our lab, running on SLES 12 SP5. I’ve used the following command to set the cipher list value to the returned value of ‘openssl ciphers HIGH’:
ldpdd041:/tmp # cat set-ciphersuite.ldif dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: HIGH ldpdd041:/tmp # ldapmodify -H ldapi:// -Y EXTERNAL -f set-ciphersuite.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
ldpdd041:/tmp # openssl ciphers HIGH ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AE S256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA -AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-25 6-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AE S256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DS S-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES2 56-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA- CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS- CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA2 56:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH- ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA38 4:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-S HA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-G CM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE- ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DS S-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-A ES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DH E-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH -RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES 128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DH E-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:AE CDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA: ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-S HA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128- SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:C AMELLIA128-SHA:PSK-AES128-CBC-SHA ldpdd041:/tmp #
So I had expected to see that all of these ciphers were being offered for use by the OpenLDAP server; instead, I see that only a subset of the list is offered:
You're on the right trail for why the ciphers using the EDH/DHE and ECDHE key-exchange methods are not being offered.
In addition, the authentication method of a cipher, as reported in the 4th column of "openssl ciphers -v" output, may imply a requirement for a specific type of certificate or other credential. In particular, the au=RSA ciphers require a cert+key for an RSA keypair, while au=DSS requires a DSS keypair and au=ECDSA reuqires an ECDSA cert, etc. I don't believe slapd supports configuring multiple cert+key pairs; if that's correct then you'll be limited to only supporting a subset of the ciphers at any given time.
WARNING: you see those ADH-* ciphers in your list, like ADH-AES256-GCM-SHA384? Be aware that those are _unauthenticated_ ciphers suites. Since they don't authenticate the server (no cert used at all), they are subject to Machine-in-the-Middle attack.
(In openssl-style cipher specs, 'HIGH' is only a requirement on the symmeteric cipher strength and says nothing about other security properties like authentication and forward-security. In practice, if any sort of confidential data in on the server or non-anonymous binds are used then you should almost certainly either a) list the specific ciphers you want to permit, or b) at the very least exclude unauthenticated ciphers, ala olcTLSCipherSuite: HIGH!aNULL
If you believe you know what you're doing is safe then sure, go wild...)
Philip Guenther
--On Thursday, April 20, 2023 4:58 PM +0000 "Lemons, Terry" Terry.Lemons@dell.com wrote:
but in the slapd-config man page that comes with the openldap2-2.4.41-22.16.1.x86_64
Personally I avoid SLES like the plague given their history of making non-backwards compatible changes to libc in patch releases. I'd also note that 2.4.41 is 8 years old, and the 2.4 series is historic and unsupported. I'd *strongly* advise you upgrade to running a modern supported release of OpenLDAP.
--Quanah
openldap-technical@openldap.org
-
Lemons, Terry -
Philip Guenther -
Quanah Gibson-Mount