Hi all,
I'm writing on behalf of a user ragrading how to go about configuring LDAPS support for SSLv3.0 certificate under OpenLDAP v2.4.44 - running on Debian 9/Stretch (default Debian 'slapd' package install).
I know that SSLv3.0 is insecure and generally a bad option, but a user needs to connect to LDAPS with an old application that only supports SSLv3.0.
I understand that a complicating factor may be that the Debian OpenLDAP (slapd) package is compiled against GnuTLS, rather than OpenSSL.
Any insight that might head me in the right direction would be greatly appreciated.
Also please note that I'm a bit of an OpenLDAP newb and my knowledge of SSL/TLS is more related to web servers/browsers and more about "best practices" rather than tweaking to be more permissive.
Regards, Jeremy Davis TurnKey Linux
--On Tuesday, July 02, 2019 12:58 PM +1000 Jeremy Davis jeremy@turnkeylinux.org wrote:
Hi all,
I'm writing on behalf of a user ragrading how to go about configuring LDAPS support for SSLv3.0 certificate under OpenLDAP v2.4.44 - running on Debian 9/Stretch (default Debian 'slapd' package install).
Hi Jeremy,
I don't have a system in front of me to test this against, but in reading the slapd.conf(5) man page, it's fairly clear that:
a) GnuTLS ignores the TLSProtocolMin directive, so you can't use that and
b) That the way to do this with GnuTLS is via the TLSCipherSuite setting. The man page directs one to look at the gnutls-cli(1) man page, in particular, the --priority setting.
If we pull up this man page (https://linux.die.net/man/1/gnutls-cli for example), there are some examples provided there. Based on those examples, it looks like perhaps something along the lines of:
"NONE:+VERS-SSL3.0" would enable *just* SSL3.0. I'd guess you could set it to something like "NORMAL:+VERS-SSL3.0" or perhaps "EXPORT:+VERS-SSL3.0"
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On Tue, Jul 02, 2019 at 09:36:25AM -0700, Quanah Gibson-Mount wrote:
b) That the way to do this with GnuTLS is via the TLSCipherSuite setting. The man page directs one to look at the gnutls-cli(1) man page, in particular, the --priority setting.
If we pull up this man page (https://linux.die.net/man/1/gnutls-cli for example), there are some examples provided there. Based on those examples, it looks like perhaps something along the lines of:
"NONE:+VERS-SSL3.0" would enable *just* SSL3.0. I'd guess you could set it to something like "NORMAL:+VERS-SSL3.0" or perhaps "EXPORT:+VERS-SSL3.0"
NORMAL:+VERS-SSL3.0 sounds like the right idea. I'd avoid EXPORT unless really, absolutely necessary. Depending on the specific client software you may also have to enable some additional cipher suite(s).
I would also add that you can use gnutls-cli(1) to verify and test your priority strings.
e.g.: gnutls-cli -l --priority 'NORMAL:+VERS-SSL3.0' will show you the ciphers and other features enabled by that priority string, and inform you if the string is not valid.
openldap-technical@openldap.org
-
Jeremy Davis -
Quanah Gibson-Mount -
Ryan Tandy