Hi
we finally moved from RSA signed certificate to ECDSA signature as it is the defaults nowdays (https://community.letsencrypt.org/t/ecdsa-certificates-by-default-and-other-...)
unfortunatly , slapd doesnt like those certificates :
/ slapd[641]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $/ /mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/serve/ / slapd[641]: main: TLS init def ctx failed: -1/ / slapd[641]: slapd stopped./
This happened on a server running old openldap 2.4 (openldap-2.4.44-25.el7_9.x86_64)
is there a directive to allow ECDSA certs in slapd (2.4) ?
is it natively supported in up2date versions of openldap 2.5 / 2.6 ?
is there a special directive in certbot to request slapd certs ?
thanks .
Hi,
we use certificates with ecdsa-with-SHA256 signature created with certbot on openldap 2.6 without problems.
Am 10.12.2024 um 11:28 schrieb jehan Procaccia:
Hi
we finally moved from RSA signed certificate to ECDSA signature as it is the defaults nowdays (https://community.letsencrypt.org/t/ecdsa- certificates-by-default-and-other-upcoming-changes-in-certbot-2-0/177013)
unfortunatly , slapd doesnt like those certificates :
/ slapd[641]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $/ /mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/ openldap-2.4.44/serve/ / slapd[641]: main: TLS init def ctx failed: -1/ / slapd[641]: slapd stopped./
This happened on a server running old openldap 2.4 (openldap-2.4.44-25.el7_9.x86_64)
is there a directive to allow ECDSA certs in slapd (2.4) ?
is it natively supported in up2date versions of openldap 2.5 / 2.6 ?
is there a special directive in certbot to request slapd certs ?
thanks .
Dirk
IIRC OpenLDAP doesn't specify any curve by default for ECDHE. You need to specify it explicitly to be able to use ECDHE (and thus ECDSA), eg:
TLSECName X25519:P-256
This is also needed to get ECDHE key exchange with RSA certificates, btw. So perhaps OpenLDAP should configure a curve (list) by default?
(OpenSSL < 1.0.2 supports only a single curve. Pick P-256 in that case.)
Geert
On Tue, Dec 10, 2024 at 11:49:00 +0100, Dirk Kastens wrote:
Hi,
we use certificates with ecdsa-with-SHA256 signature created with certbot on openldap 2.6 without problems.
Am 10.12.2024 um 11:28 schrieb jehan Procaccia:
Hi
we finally moved from RSA signed certificate to ECDSA signature as it is the defaults nowdays (https://community.letsencrypt.org/t/ecdsa- certificates-by-default-and-other-upcoming-changes-in-certbot-2-0/177013)
unfortunatly , slapd doesnt like those certificates :
/ slapd[641]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $/ /mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/ openldap-2.4.44/serve/ / slapd[641]: main: TLS init def ctx failed: -1/ / slapd[641]: slapd stopped./
This happened on a server running old openldap 2.4 (openldap-2.4.44-25.el7_9.x86_64)
is there a directive to allow ECDSA certs in slapd (2.4) ?
is it natively supported in up2date versions of openldap 2.5 / 2.6 ?
is there a special directive in certbot to request slapd certs ?
thanks .
Dirk
OK, then I try to add that attribute TLSecName to my config (OLC) , but it fails :
/# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcTLSecName-ECC.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldapmodify: wrong attributeType at line 4, entry "cn=config"/
the ldif contains / /
# cat /root/ldifidLdapFm/olcTLSSecName-ECC.ldif dn: cn=config changetype: modify *add: olcTLSECName olcTLSECName: secp256k1*
value took from / / /# openssl ecparam -list_curves *secp256k1 : SECG curve over a 256 bit prime field* secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field/
I tried also with your proposed value
X25519:P-256
, it fails the same way here is the content of my ECDSA signed certificate
/# openssl x509 -in ./cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 89:f9:6a:e3:82:60:1c:91:c3:02:18:ab:a6:f7:ab:60 * Signature Algorithm: ecdsa-with-SHA256*/* * did I missed something ?
thanks .
On 10/12/2024 12:06, Geert Hendrickx wrote:
IIRC OpenLDAP doesn't specify any curve by default for ECDHE. You need to specify it explicitly to be able to use ECDHE (and thus ECDSA), eg:
TLSECName X25519:P-256
This is also needed to get ECDHE key exchange with RSA certificates, btw. So perhaps OpenLDAP should configure a curve (list) by default?
(OpenSSL < 1.0.2 supports only a single curve. Pick P-256 in that case.)
Geert
On Tue, Dec 10, 2024 at 11:49:00 +0100, Dirk Kastens wrote:
Hi,
we use certificates with ecdsa-with-SHA256 signature created with certbot on openldap 2.6 without problems.
Am 10.12.2024 um 11:28 schrieb jehan Procaccia:
Hi
we finally moved from RSA signed certificate to ECDSA signature as it is the defaults nowdays (https://community.letsencrypt.org/t/ecdsa- certificates-by-default-and-other-upcoming-changes-in-certbot-2-0/177013)
unfortunatly , slapd doesnt like those certificates :
/ slapd[641]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $/ /mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/ openldap-2.4.44/serve/ / slapd[641]: main: TLS init def ctx failed: -1/ / slapd[641]: slapd stopped./
This happened on a server running old openldap 2.4 (openldap-2.4.44-25.el7_9.x86_64)
is there a directive to allow ECDSA certs in slapd (2.4) ?
is it natively supported in up2date versions of openldap 2.5 / 2.6 ?
is there a special directive in certbot to request slapd certs ?
thanks .
Dirk
secp256k1 (a Koblitz curve) won't be interoperable, try prime256v1 (an openssl alias for SEC P-256 or secp256r1).
But that doesn't explain the wrong attributeType error you're getting.
Is your slapd perhaps built with GnuTLS instead of OpenSSL ?
Geert
On Tue, Dec 10, 2024 at 15:43:12 +0100, jehan Procaccia wrote:
OK, then I try to add that attribute TLSecName to my config (OLC) , but it fails :
/# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcTLSecName-ECC.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldapmodify: wrong attributeType at line 4, entry "cn=config"/
the ldif contains / /
# cat /root/ldifidLdapFm/olcTLSSecName-ECC.ldif dn: cn=config changetype: modify *add: olcTLSECName olcTLSECName: secp256k1*
value took from / / /# openssl ecparam -list_curves *secp256k1 : SECG curve over a 256 bit prime field* secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field/
I tried also with your proposed value
X25519:P-256
, it fails the same way here is the content of my ECDSA signed certificate
/# openssl x509 -in ./cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 89:f9:6a:e3:82:60:1c:91:c3:02:18:ab:a6:f7:ab:60 * Signature Algorithm: ecdsa-with-SHA256*/*
did I missed something ?
thanks .
On 10/12/2024 12:06, Geert Hendrickx wrote:
IIRC OpenLDAP doesn't specify any curve by default for ECDHE. You need to specify it explicitly to be able to use ECDHE (and thus ECDSA), eg:
TLSECName X25519:P-256
This is also needed to get ECDHE key exchange with RSA certificates, btw. So perhaps OpenLDAP should configure a curve (list) by default?
(OpenSSL < 1.0.2 supports only a single curve. Pick P-256 in that case.)
Geert
I‘m afraid you have to use a new OpenLDAP version to use new certificate algorithms.
Kind regards, Ulrich Windl
From: jehan Procaccia jehan.procaccia@imtbs-tsp.eu Sent: Tuesday, December 10, 2024 11:28 AM To: openldap-technical@openldap.org Subject: [EXT] ECDSA certs TLS init failed for slapd
Hi
we finally moved from RSA signed certificate to ECDSA signature as it is the defaults nowdays (https://community.letsencrypt.org/t/ecdsa-certificates-by-default-and-other-...)
unfortunatly , slapd doesnt like those certificates :
slapd[641]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $ mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servemailto:mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/serve slapd[641]: main: TLS init def ctx failed: -1 slapd[641]: slapd stopped.
This happened on a server running old openldap 2.4 (openldap-2.4.44-25.el7_9.x86_64)
is there a directive to allow ECDSA certs in slapd (2.4) ?
is it natively supported in up2date versions of openldap 2.5 / 2.6 ?
is there a special directive in certbot to request slapd certs ?
thanks .
openldap-technical@openldap.org
-
Dirk Kastens -
Geert Hendrickx -
jehan Procaccia -
Windl, Ulrich