Le 22/07/2015 18:27, Olivier a écrit :
Hi everyone
Question : are there some limitations (key size, encryption algorithm,
etc.) for certificates used by openldap to manage TLS connexions ?
See below why I ask :
I have used the following configuration in my slapd servers for quite
a while without any problem :
olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt
olcTLSCertificateFile: /etc/openldap/cacerts/server.crt
olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key
olcTLSCipherSuite: HIGH
olcTLSVerifyClient: allow
See for example my configuration for syncrepl (see: tls_reqcert=demand) :
olcSyncrepl: {0}rid=411 provider=ldap://ldap1.example.fr
<http://ldap1.example.fr> bindmethod=sasl
sizelimit=unlimited timeout=0 network-timeout=0 saslmech=external type
=refreshAndPersist retry="5 +" starttls=yes
tls_cacert=/etc/openldap/cacer
ts/CA.crt tls_cert=/etc/openldap/cacerts/replicator.crt
tls_key=/etc/openldap
/cacerts/replicator.key scope=sub schemachecking=on keepalive=0:0:0 fil
ter="(objectclass=*)" searchbase="dc=example,dc=fr" tls_reqcert=demand
-> I have used this for couple of years on my multimastered ldap
servers, and until yesterday that worked perfectly : replication was
working properly and clients talked with the servers using TLS without
any problem.
But I since my certicates were too weak (see this : sha1, 512 bit) :
$ openssl x509 -text -in server.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13998752034197585248 (0xc2458ece791fbd60)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT,
CN=ldap/[email protected] <mailto:[email protected]>
Validity
Not Before: Dec 29 15:41:56 2011 GMT
Not After : Jul 29 15:41:56 2021 GMT
Subject: C=fr, ST=IDF, L=Town, O=example,
OU=IT,CN=ldap1.example.fr/[email protected]
<http://ldap1.example.fr/[email protected]>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
I have renewed them using the same self signed authority to validate
them, and of course using exactly the same subject. My new certificate
look like this :
$ openssl x509 -text -in server.crt (see this : sha2, 4096 bit) :
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 10208063777793278590 (0x8daa53ebd7e6827e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT,
CN=ldap/[email protected] <mailto:[email protected]>
Validity
Not Before: Jul 22 15:24:50 2015 GMT
Not After : Feb 19 15:24:50 2025 GMT
Subject: C=fr, ST=IDF, L=Town, O=example,
OU=IT,CN=ldap1.example.fr/[email protected]
<http://ldap1.example.fr/[email protected]>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
I installed my new certificate on ldap1 without changing the
configuration, and restarting the server here is what I get on ldap4
logs (loglevel = sync ) :
$ tail -f /var/log/ldap.log
...
Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect:
URI=ldap://ldap1.example.fr <http://ldap1.example.fr> Warning,
ldap_start_tls failed (-11)
Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect:
URI=ldap://ldap1.example.fr <http://ldap1.example.fr>
ldap_sasl_interactive_bind_s failed (-2)
Jul 22 17:31:10 ldap4 slapd[53489]: do_syncrepl: rid=432 rc -2 retrying
Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect:
URI=ldap://ldap1.example.fr <http://ldap1.example.fr> Warning,
ldap_start_tls failed (-11)
Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect:
URI=ldap://ldap1.example.fr <http://ldap1.example.fr>
ldap_sasl_interactive_bind_s failed (-6)
Jul 22 17:31:15 ldap4-mrs slapd[53489]: do_syncrepl: rid=432 rc -6
retrying
When reinstalling the previous certificates and restarting ldap1 the
server I see this appearing in ldap4 logs :
...
Jul 22 17:31:20 ldap4-mrs slapd[53489]: do_syncrep2: rid=432
LDAP_RES_INTERMEDIATE - REFRESH_DELETE
Question : are there some limitations (key size, encryption algorithm,
etc.) for certificates used by openldap to manage TLS connexions ?
Does openldap tls connections work with certificates sha 256 With RSA
Encryption using a 4096 public key length ? May be I missed something ?
(note : I use openssl to manage my certificates)
Thanks for any help.
Hello Olivier,
as far as I know, there are no limitation on key size in OpenLDAP. You
should first try to test your new certificate by querying your LDAP
server with openssl s_client. Then you can try to use a higher log level
(use at least the 'conns' level) to get more details on the error. Try
to request the LDAP server with ldapsearch, first with LDAPS, then with
startTLS, and see what happens.
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS