Hi,
OpenLDAP seems to support an undocumented configuration parameter "TLSProtocolMin" when linked against OpenSSL. It allows to set the minimum SSL/TLS protocol version:
* TLSProtocolMin 768 # (3 << 8) disables SSLv2 * TLSProtocolMin 769 # ((3 << 8)+1) disables SSLv2 and SSLv3
As there's no documentation for TLSProtocolMin: Is this feature ready for production or is it experimental?
Best regards, Manuel
--On Tuesday, July 23, 2013 1:11 PM +0200 Manuel Gaupp mgaupp@googlemail.com wrote:
Hi,
OpenLDAP seems to support an undocumented configuration parameter "TLSProtocolMin" when linked against OpenSSL. It allows to set the minimum SSL/TLS protocol version:
- TLSProtocolMin 768 # (3 << 8) disables SSLv2
- TLSProtocolMin 769 # ((3 << 8)+1) disables SSLv2 and SSLv3
As there's no documentation for TLSProtocolMin: Is this feature ready for production or is it experimental?
Please file an ITS about its lack of documentation: http://www.openldap.org/its
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Tue, 23 Jul 2013, Quanah Gibson-Mount wrote:
--On Tuesday, July 23, 2013 1:11 PM +0200 Manuel Gaupp mgaupp@googlemail.com wrote:
OpenLDAP seems to support an undocumented configuration parameter "TLSProtocolMin" when linked against OpenSSL. It allows to set the minimum SSL/TLS protocol version:
- TLSProtocolMin 768 # (3 << 8) disables SSLv2
- TLSProtocolMin 769 # ((3 << 8)+1) disables SSLv2 and SSLv3
As there's no documentation for TLSProtocolMin: Is this feature ready for production or is it experimental?
Please file an ITS about its lack of documentation: http://www.openldap.org/its
My original ITS for this included an update for ldap.conf(5) which was never committed:
http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=5655
I thought I had a diff for slapd.conf(5) as well, but I don't see it in the src trees I have on hand. Maybe it's in that backup at home. The bulk of the wording can be shared with the ldap.conf(5) diff, of course.
That reminds me: now that newer versions of OpenSSL have support for TLS 1.1 and 1.2, including the ability to disable them, here's a diff to add support for doing so in OpenLDAP. Build tested only.
Philip Guenther
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index 24d43ee..3c077f8 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -219,6 +219,25 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) (const unsigned char *) "OpenLDAP", sizeof("OpenLDAP")-1 ); }
+#ifdef SSL_OP_NO_TLSv1 +#ifdef SSL_OP_NO_TLSv1_1 +#ifdef SSL_OP_NO_TLSv1_2 + if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2) + SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | + SSL_OP_NO_TLSv1_2 ); + else +#endif + if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_1) + SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 ); + else +#endif + if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_0) + SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_TLSv1); + else +#endif if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 ); else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
openldap-technical@openldap.org
-
Manuel Gaupp -
Philip Guenther -
Quanah Gibson-Mount