I want to restrict the cipher suites used in OpenLDAP so that only TLS1.2 is supported.
Looking at https://openldap.org/doc/admin24/tls.html, I first tried setting olcTLSCipherSuite to "HIGH" but the LDAP server gave an error 80 and then stopped accepted further connections until I restarted it.
Since our OpenLDAP installation has been built with GnuTLS, I'm presuming that I have to explicitly list out the GnuTLS cipher suites I want to use. I've used gnutls-cli to list out the cipher suites that support PFS and then extracted the ones that are TLS1.2.
So, just to confirm, do I need to provide a colon-separated list of each and every cipher suite or is there a GnuTLS shorthand that I can use?
Regards
Philip
On 2/7/19 5:50 PM, Philip Colmer wrote:
I want to restrict the cipher suites used in OpenLDAP so that only TLS1.2 is supported.
Looking at https://openldap.org/doc/admin24/tls.html, I first tried setting olcTLSCipherSuite to "HIGH" but the LDAP server gave an error 80 and then stopped accepted further connections until I restarted it.
Attribute 'olcTLSCipherSuite' is for setting the cipher suites.
You should rather set
olcTLSProtocolMin: 3.3
Ciao, Michael.
Many thanks, Ryan.
I'll schedule a maintenance window so that I can do some testing without affecting users.
Regards
Philip
On Thu, 7 Feb 2019 at 17:09, Ryan Tandy ryan@nardis.ca wrote:
On Thu, Feb 07, 2019 at 06:05:02PM +0100, Michael Ströder wrote:
You should rather set
olcTLSProtocolMin: 3.3
Unfortunately this option is currently implemented for OpenSSL only, while Philip mentioned he is using GnuTLS.
On Thu, Feb 07, 2019 at 04:50:58PM +0000, Philip Colmer wrote:
So, just to confirm, do I need to provide a colon-separated list of each and every cipher suite or is there a GnuTLS shorthand that I can use?
See https://gnutls.org/manual/html_node/Priority-Strings.html for a list of keywords.
I think you are likely looking for something like (completely untested):
NORMAL:-VERS-ALL:+VERS-TLS1.2
For debugging priority strings and checking what they enable, you can use gnutls-cli:
gnutls-cli --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -l
For example I noticed this way that mine doesn't understand "VERS-TLS1.3" yet.
I'll mention as well since this came up in IRC recently - if you have Ubuntu 14.04 systems in your network still, be aware that its gnutls package has trouble with TLS1.2: https://bugs.launchpad.net/bugs/1444656
Hope this helps, Ryan
openldap-technical@openldap.org
-
Michael Ströder -
Philip Colmer -
Ryan Tandy