HI Team,
Hope you can help with this issue.
I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added "TLSProtocolMin 3.2" and able to restart slapd service as well without any issue.
However when we tried to test SSLV3 connectivity it's still showing SSLv3 enabled . This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image.
cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin TLSProtocolMin 3.2
openssl s_client -connect localhost:1636 -ssl3 -quiet depth=3 CN = XXX Root Certificate Authority verify return:1
SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated.
Thanks Narayanan Linux Platform Engineering 500 Staples Drive, Framingham MA Office: 508-253-6909 | Mobile: 508-333-4395 [signature_1767107679]
What version of RHEL? OpenLDAP? openssl? Is your installation using slapd.conf? or is it using cn=config?
Nick
On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan < Narayanan.Ballem@staples.com> wrote:
HI Team,
Hope you can help with this issue.
I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added “TLSProtocolMin 3.2” and able to restart slapd service as well without any issue.
However when we tried to test SSLV3 connectivity it’s still showing SSLv3 enabled .
This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image.
cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin
TLSProtocolMin 3.2
openssl s_client -connect localhost:1636 -ssl3 -quiet
depth=3 CN = XXX Root Certificate Authority
verify return:1
SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated.
Thanks
*Narayanan*
*Linux Platform Engineering*
500 Staples Drive, Framingham MA
Office: 508-253-6909 | Mobile: 508-333-4395
[image: signature_1767107679]
It’s rhel7 , openldap version is 2.4.54 and we use slapd.conf.
Narayanan
Get Outlook for iOShttps://aka.ms/o0ukef ________________________________ From: Nick Folino nick@folino.us Sent: Wednesday, November 3, 2021 6:14:29 AM To: Ballem, Narayanan Narayanan.Ballem@Staples.com Cc: openldap-technical@openldap.org openldap-technical@openldap.org Subject: [EXT]:Re: OpenLDAP SSLV3 disable
What version of RHEL? OpenLDAP? openssl? Is your installation using slapd.conf? or is it using cn=config?
Nick
On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan <Narayanan.Ballem@staples.commailto:Narayanan.Ballem@staples.com> wrote:
HI Team,
Hope you can help with this issue.
I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added “TLSProtocolMin 3.2” and able to restart slapd service as well without any issue.
However when we tried to test SSLV3 connectivity it’s still showing SSLv3 enabled .
This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image.
cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin
TLSProtocolMin 3.2
openssl s_client -connect localhost:1636 -ssl3 -quiet
depth=3 CN = XXX Root Certificate Authority
verify return:1
SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated.
Thanks
Narayanan
Linux Platform Engineering
500 Staples Drive, Framingham MA
Office: 508-253-6909 | Mobile: 508-333-4395
[signature_1767107679]
Where in the slapd.conf did you put the tlsprotocolmin statement?
Nick
On Wed, Nov 3, 2021 at 7:00 AM Ballem, Narayanan < Narayanan.Ballem@staples.com> wrote:
It’s rhel7 , openldap version is 2.4.54 and we use slapd.conf.
Narayanan
Get Outlook for iOS https://aka.ms/o0ukef
*From:* Nick Folino nick@folino.us *Sent:* Wednesday, November 3, 2021 6:14:29 AM *To:* Ballem, Narayanan Narayanan.Ballem@Staples.com *Cc:* openldap-technical@openldap.org openldap-technical@openldap.org *Subject:* [EXT]:Re: OpenLDAP SSLV3 disable
What version of RHEL? OpenLDAP? openssl? Is your installation using slapd.conf? or is it using cn=config?
Nick
On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan < Narayanan.Ballem@staples.com> wrote:
HI Team,
Hope you can help with this issue.
I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added “TLSProtocolMin 3.2” and able to restart slapd service as well without any issue.
However when we tried to test SSLV3 connectivity it’s still showing SSLv3 enabled .
This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image.
cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin
TLSProtocolMin 3.2
openssl s_client -connect localhost:1636 -ssl3 -quiet
depth=3 CN = XXX Root Certificate Authority
verify return:1
SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated.
Thanks
*Narayanan*
*Linux Platform Engineering*
500 Staples Drive, Framingham MA
Office: 508-253-6909 | Mobile: 508-333-4395
[image: signature_1767107679]
Yes along with TLS certs as well.
cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin
TLSProtocolMin 3.2
-Narayanan From: Nick Folino nick@folino.us Sent: Wednesday, November 3, 2021 7:14 AM To: Ballem, Narayanan Narayanan.Ballem@Staples.com Cc: openldap-technical@openldap.org Subject: Re: [EXT]:Re: OpenLDAP SSLV3 disable
Where in the slapd.conf did you put the tlsprotocolmin statement?
Nick
On Wed, Nov 3, 2021 at 7:00 AM Ballem, Narayanan <Narayanan.Ballem@staples.commailto:Narayanan.Ballem@staples.com> wrote: It's rhel7 , openldap version is 2.4.54 and we use slapd.conf.
Narayanan
Get Outlook for iOShttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CNarayanan.Ballem%40staples.com%7C9b7abc22416a4e6da9fa08d99ebb143e%7Cb101f7ab56ac485fb3975279698fdf7d%7C1%7C0%7C637715348622830176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=A5fgtY7YOI4TDxwscwNchjuaLzSfTdjttN868XjM1bM%3D&reserved=0 ________________________________ From: Nick Folino <nick@folino.usmailto:nick@folino.us> Sent: Wednesday, November 3, 2021 6:14:29 AM To: Ballem, Narayanan <Narayanan.Ballem@Staples.commailto:Narayanan.Ballem@Staples.com> Cc: openldap-technical@openldap.orgmailto:openldap-technical@openldap.org <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: [EXT]:Re: OpenLDAP SSLV3 disable
What version of RHEL? OpenLDAP? openssl? Is your installation using slapd.conf? or is it using cn=config?
Nick
On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan <Narayanan.Ballem@staples.commailto:Narayanan.Ballem@staples.com> wrote:
HI Team,
Hope you can help with this issue.
I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added "TLSProtocolMin 3.2" and able to restart slapd service as well without any issue.
However when we tried to test SSLV3 connectivity it's still showing SSLv3 enabled .
This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image.
cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin
TLSProtocolMin 3.2
openssl s_client -connect localhost:1636 -ssl3 -quiet
depth=3 CN = XXX Root Certificate Authority
verify return:1
SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated.
Thanks
Narayanan
Linux Platform Engineering
500 Staples Drive, Framingham MA
Office: 508-253-6909 | Mobile: 508-333-4395
[signature_1767107679]
I'll just assume it's in the right location in the file as it doesn't error out. If it's in the correct location of the conf file that you're loading then it should work. Have you checked with RedHat to make sure they haven't messed with it? They're famous for that. As an alternative you can compile it yourself.
Nick
On Wed, Nov 3, 2021 at 1:14 PM Ballem, Narayanan < Narayanan.Ballem@staples.com> wrote:
Yes along with TLS certs as well.
cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin
TLSProtocolMin 3.2
-Narayanan
*From:* Nick Folino nick@folino.us *Sent:* Wednesday, November 3, 2021 7:14 AM *To:* Ballem, Narayanan Narayanan.Ballem@Staples.com *Cc:* openldap-technical@openldap.org *Subject:* Re: [EXT]:Re: OpenLDAP SSLV3 disable
Where in the slapd.conf did you put the tlsprotocolmin statement?
Nick
On Wed, Nov 3, 2021 at 7:00 AM Ballem, Narayanan < Narayanan.Ballem@staples.com> wrote:
It’s rhel7 , openldap version is 2.4.54 and we use slapd.conf.
Narayanan
Get Outlook for iOS
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CNarayanan.Ballem%40staples.com%7C9b7abc22416a4e6da9fa08d99ebb143e%7Cb101f7ab56ac485fb3975279698fdf7d%7C1%7C0%7C637715348622830176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=A5fgtY7YOI4TDxwscwNchjuaLzSfTdjttN868XjM1bM%3D&reserved=0
*From:* Nick Folino nick@folino.us *Sent:* Wednesday, November 3, 2021 6:14:29 AM *To:* Ballem, Narayanan Narayanan.Ballem@Staples.com *Cc:* openldap-technical@openldap.org openldap-technical@openldap.org *Subject:* [EXT]:Re: OpenLDAP SSLV3 disable
What version of RHEL? OpenLDAP? openssl?
Is your installation using slapd.conf? or is it using cn=config?
Nick
On Tue, Nov 2, 2021 at 10:13 PM Ballem, Narayanan < Narayanan.Ballem@staples.com> wrote:
HI Team,
Hope you can help with this issue.
I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added “TLSProtocolMin 3.2” and able to restart slapd service as well without any issue.
However when we tried to test SSLV3 connectivity it’s still showing SSLv3 enabled .
This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image.
cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin
TLSProtocolMin 3.2
openssl s_client -connect localhost:1636 -ssl3 -quiet
depth=3 CN = XXX Root Certificate Authority
verify return:1
SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated.
Thanks
*Narayanan*
*Linux Platform Engineering*
500 Staples Drive, Framingham MA
Office: 508-253-6909 | Mobile: 508-333-4395
[image: signature_1767107679]
--On Tuesday, November 2, 2021 11:38 PM +0000 "Ballem, Narayanan" Narayanan.Ballem@Staples.com wrote:
openssl s_client -connect localhost:1636 -ssl3 -quiet
depth=3 CN = XXX Root Certificate Authority
verify return:1
I am unable to reproduce this on RHEL7.
With no TLS protocol min set:
openssl s_client -connect localhost:636 -ssl3 -quiet depth=0 CN = c7rpmtest verify error:num=18:self signed certificate verify return:1 depth=0 CN = c7rpmtest verify error:num=10:certificate has expired notAfter=Aug 12 23:14:52 2020 GMT verify return:1 depth=0 CN = c7rpmtest notAfter=Aug 12 23:14:52 2020 GMT verify return:1
With TLS protocol min set to 3.2 or 3.3:
# openssl s_client -connect localhost:636 -ssl3 -quiet 140008023218064:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
It appears you are modifying slapd.conf, while the default RHEL7 packages use cn=config, so modifications made to a slapd.conf file would have no effect if cn=config is in use.
As an aside I would note that OpenLDAP 2.4.54 is rather old and that the 2.4 release series is historic and no longer supported. You may wish to avail yourself of the free replacement packages for RHEL7 that are provided by Symas at https://repo.symas.com/soldap/ which are linked to a current release of OpenSSL vs the ancient RHEL7 openssl, and are also for the current supported OpenLDAP 2.6 release series. If you are insistent on using the historic unsupported OpenLDAP 2.4 release, we also have free replacement packages providing OpenLDAP 2.4.59 on RHEL7 at https://repo.symas.com/sofl/rhel7/.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Ballem, Narayanan -
Nick Folino -
Quanah Gibson-Mount