On Fri, 29 Oct 2021, Ballem, Narayanan wrote:
> Hope you can help with this issue.
>
> 1)I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP
> as a proxy with upstream Active directory servers. we are using CA certs
> on this openssl we would like to disable SSLV3 I added the below entry
> slapd.conf but when I tried to start slapd it's failing to start
>
> TLSCipherSuite HIGH:MEDIUM:!SSLv2:!SSLV3
Yeah, OpenSSL's cipher selector "SSLv3" doesn't mean what you think and
does *not* control what TLS *protocol versions* are offered. A different
API call is needed and in OpenLDAP that's done with this option:
TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be
negotiated. If the server doesn't support at least that
version, the SSL handshake will fail. To require TLS 1.x or
higher, set this option to 3.(x+1), e.g.,
TLSProtocolMin 3.2
would require TLS 1.1. Specifying a minimum that is higher
than that supported by the OpenLDAP implementation will
result in it requiring the highest level that it does
support. This directive is ignored with GnuTLS.
So, to just disable SSLv3 but support TLSv1.0 and higher use
TLSProtocolMin 3.1
(Frankly, you should be pushing *really hard* to require TLSv1.2 as a
minimum.)
For TLSCipherSuite you'll then want to use
TLSCipherSuite HIGH:MEDIUM
or probably:
TLSCipherSuite HIGH
because do you *really* want to permit RC4-MD5, which is part of MEDIUM?
If you have clients that require such crappy old ciphers then they
*absolutely* need to be updated/replaced.
Philip Guenther
