From: [email protected] To: [email protected]; [email protected] Subject: RE: Redhat LDAP Client Issues when disabling SSLv3 Date: Thu, 23 Oct 2014 10:52:22 -0400
> Date: Thu, 23 Oct 2014 11:59:10 +0900 > From: [email protected] > To: [email protected] > Subject: Re: Redhat LDAP Client Issues when disabling SSLv3 > > At Wed, 22 Oct 2014 16:54:24 -0500, > Peter Boguszewski wrote: > > Thanks for the quick response. I was also messing with the > > olcTLSProtocolMin settings and seeing similar issues (which are now > > verified by your answer). It appears as though RHEL 6.x does not support > > TLS1.1 nor TLS1.2 with the yum installed packages. > > OpenLDAP in RHEL 6.x is version 2.4.23 that has a bug, ITS#7645. > (See http://www.openldap.org/its/index.cgi?findid=7645) > > You must set olcTLSProtocolMin to 769 instead of 3.1 > for OpenLDAP 2.4.35 and older. > > > > Cipher suites are not protocol versions. To configure slapd to only > > > negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented > > > in slapd-config(5). > > -- > -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp) > -- Business Home: http://www.OSSTech.co.jp/ > -- GitHub Home: https://GitHub.com/fumiyas/ > -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA > >Thank you Satoh. >I can confirm setting olcTLSProtocolMin 3.1 disabled SSLv3 in the RHEL >openldap-2.4.39-8 package. >However, setting olcTLSProtocolMin 769 on openldap-2.4.23-34.el6_5.1 still allows a successful SSlv3 handshake. Also, olcTLSProtocolMin is not even >documented in the slapd.conf man pages for this version. I suspect I'm hitting the issue of RHEL openldap being linked against moz_nss and not openssl, therefore olcTLSProtocolMin is ignored in this version.
