Hi, all
What is the best settings to enforce TLS 1.2 in OpenLDAP server side (openldap-2.4.44-1.el6)?
I make the change below:
From: olcTLSProtocolMin: 0.0
To: olcTLSProtocolMin: 3.3
However, TLS1.0 still shows up in a lot of tcpdump packets:
Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 70 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 66 Version: TLS 1.0 (0x0301) Random Session ID Length: 0 Cipher Suites Length: 20 Cipher Suites (10 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 5 Extension: renegotiation_info
Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1704 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 77 Version: TLS 1.0 (0x0301) Random Session ID Length: 32 Session ID: 39c37acec27b5f497c3bf4a4c694c4a9cc03ed6371e0fee0... Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Compression Method: null (0) Extensions Length: 5 Extension: renegotiation_info Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1499 Certificates Length: 1496 Certificates (1496 bytes) Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 112 Certificate types count: 3 Certificate types (3 types) Distinguished Names Length: 106 Distinguished Names (106 bytes) Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0
Thanks, Steve
Am Fri, 9 Sep 2016 17:18:19 +0000 schrieb Steve Zeng steve.zeng@booking.com:
Hi, all
What is the best settings to enforce TLS 1.2 in OpenLDAP server side (openldap-2.4.44-1.el6)?
I make the change below:
From: olcTLSProtocolMin: 0.0
To: olcTLSProtocolMin: 3.3
However, TLS1.0 still shows up in a lot of tcpdump packets:
Is this compiled with GnuTLS or OpenSSL?
-Dieter
OpenSSL
Thanks, Steve
On Sep 10, 2016, at 00:58, Dieter Klünter dieter@dkluenter.de wrote:
Am Fri, 9 Sep 2016 17:18:19 +0000 schrieb Steve Zeng steve.zeng@booking.com:
Hi, all
What is the best settings to enforce TLS 1.2 in OpenLDAP server side (openldap-2.4.44-1.el6)?
I make the change below:
From: olcTLSProtocolMin: 0.0
To: olcTLSProtocolMin: 3.3
However, TLS1.0 still shows up in a lot of tcpdump packets:
Is this compiled with GnuTLS or OpenSSL?
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
--On Saturday, September 10, 2016 10:57 AM +0200 Dieter Klünter dieter@dkluenter.de wrote:
However, TLS1.0 still shows up in a lot of tcpdump packets:
Is this compiled with GnuTLS or OpenSSL?
Since it is ".el6" that would generally imply a RHEL build. That would in turn mean it is most likely compiled against the known insecure and broken MozNSS libs. So neither GnuTLS or OpenSSL.
--Quanah
--
Quanah Gibson-Mount
Thanks for the note. So we need to rebuild it against OpenSSL?
Thanks, Steve
On Sep 10, 2016, at 13:37, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Saturday, September 10, 2016 10:57 AM +0200 Dieter Klünter dieter@dkluenter.de wrote:
However, TLS1.0 still shows up in a lot of tcpdump packets:
Is this compiled with GnuTLS or OpenSSL?
Since it is ".el6" that would generally imply a RHEL build. That would in turn mean it is most likely compiled against the known insecure and broken MozNSS libs. So neither GnuTLS or OpenSSL.
--Quanah
--
Quanah Gibson-Mount
Le 11/09/2016 à 03:25, Steve Zeng a écrit :
Thanks for the note. So we need to rebuild it against OpenSSL?
You can give a try to LDAP Tool Box packages which are built against OpenSSL: * http://ltb-project.org/wiki/documentation/openldap-rpm * http://ltb-project.org/wiki/download#openldap
Thanks for the LDAP tool box packages. I will give it a try.
Quick questions, I ran ldd to find out which TLS/SSL library and it shows:
# ldd /usr/sbin/slapd
linux-vdso.so.1 => (0x00007fff5b044000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f3a36585000) libdb-4.7.so => /lib64/libdb-4.7.so (0x00007f3a36211000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f3a35ff6000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f3a35dbf000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f3a35ba5000) libssl3.so => /usr/lib64/libssl3.so (0x00007f3a35965000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f3a35739000) libnss3.so => /usr/lib64/libnss3.so (0x00007f3a353fa000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f3a351cd000) libplds4.so => /lib64/libplds4.so (0x00007f3a34fc9000) libplc4.so => /lib64/libplc4.so (0x00007f3a34dc4000) libnspr4.so => /lib64/libnspr4.so (0x00007f3a34b85000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3a34968000) libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f3a3475d000) libc.so.6 => /lib64/libc.so.6 (0x00007f3a343c8000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f3a341c4000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f3a33f4d000) libz.so.1 => /lib64/libz.so.1 (0x00007f3a33d36000) librt.so.1 => /lib64/librt.so.1 (0x00007f3a33b2e000) /lib64/ld-linux-x86-64.so.2 (0x00007f3a3679c000) libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f3a33914000)
# rpm -qf /usr/lib64/libssl3.so
nss-3.21.0-8.el6.x86_64
Will that (the line containing libssl3.so) confirm it is the MozNSS libs?
I also tried the other settings and all clients immediately could not connect. It that a suggested settings for this purpose, or it is simply due to the wrong value I gave?
olcTLSCipherSuite: ALL:!TLSv1.0:!TLSv1.1:!SSLv3
Thanks, Steve
On 9/12/16, 4:26 AM, "openldap-technical on behalf of Clément OUDOT" <openldap-technical-bounces@openldap.org on behalf of clement.oudot@savoirfairelinux.com> wrote:
Le 11/09/2016 à 03:25, Steve Zeng a écrit :
Thanks for the note. So we need to rebuild it against OpenSSL?
You can give a try to LDAP Tool Box packages which are built against OpenSSL:
- http://ltb-project.org/wiki/documentation/openldap-rpm
- http://ltb-project.org/wiki/download#openldap
-- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 87, rue de Turbigo - 75003 PARIS Blog: http://sflx.ca/coudot
--On Monday, September 12, 2016 7:08 PM +0000 Steve Zeng steve.zeng@booking.com wrote:
Will that (the line containing libssl3.so) confirm it is the MozNSS libs?
Yes.
--
Quanah Gibson-Mount
Hello,
I am sorry for the inconveniences. I have filed a bug about this: https://bugzilla.redhat.com/show_bug.cgi?id=1375432 This should be fixed with next release.
Regards.
Steve Zeng steve.zeng@booking.com writes:
Thanks for the LDAP tool box packages. I will give it a try.
Quick questions, I ran ldd to find out which TLS/SSL library and it shows:
# ldd /usr/sbin/slapd
linux-vdso.so.1 => (0x00007fff5b044000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f3a36585000) libdb-4.7.so => /lib64/libdb-4.7.so (0x00007f3a36211000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f3a35ff6000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f3a35dbf000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f3a35ba5000) libssl3.so => /usr/lib64/libssl3.so (0x00007f3a35965000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f3a35739000) libnss3.so => /usr/lib64/libnss3.so (0x00007f3a353fa000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f3a351cd000) libplds4.so => /lib64/libplds4.so (0x00007f3a34fc9000) libplc4.so => /lib64/libplc4.so (0x00007f3a34dc4000) libnspr4.so => /lib64/libnspr4.so (0x00007f3a34b85000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3a34968000) libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f3a3475d000) libc.so.6 => /lib64/libc.so.6 (0x00007f3a343c8000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f3a341c4000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f3a33f4d000) libz.so.1 => /lib64/libz.so.1 (0x00007f3a33d36000) librt.so.1 => /lib64/librt.so.1 (0x00007f3a33b2e000) /lib64/ld-linux-x86-64.so.2 (0x00007f3a3679c000) libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f3a33914000)
# rpm -qf /usr/lib64/libssl3.so
nss-3.21.0-8.el6.x86_64
Will that (the line containing libssl3.so) confirm it is the MozNSS libs?
I also tried the other settings and all clients immediately could not connect. It that a suggested settings for this purpose, or it is simply due to the wrong value I gave?
olcTLSCipherSuite: ALL:!TLSv1.0:!TLSv1.1:!SSLv3
Thanks, Steve
On 9/12/16, 4:26 AM, "openldap-technical on behalf of Clément OUDOT" <openldap-technical-bounces@openldap.org on behalf of clement.oudot@savoirfairelinux.com> wrote:
Le 11/09/2016 à 03:25, Steve Zeng a écrit :
Thanks for the note. So we need to rebuild it against OpenSSL?
You can give a try to LDAP Tool Box packages which are built against OpenSSL:
- http://ltb-project.org/wiki/documentation/openldap-rpm
- http://ltb-project.org/wiki/download#openldap
-- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 87, rue de Turbigo - 75003 PARIS Blog: http://sflx.ca/coudot
openldap-technical@openldap.org
-
Clément OUDOT -
Dieter Klünter -
Matus Honek -
Quanah Gibson-Mount -
Steve Zeng