On 14/12/2022 07:32, Erik de Waard wrote:
Hi,
Take a look at TLSCipherSuite
Erik
On Wed, Dec 14, 2022, 07:23 Andre Rodier <[email protected]
<mailto:[email protected]>> wrote:
Hello,
I have configured OpenLDAP using SSL certificate, but I have a few issues.
Here the TLS configuration, especially "olcTLSProtocolMin: 3.3"
> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> # CRC32 c70363a6
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /var/run/slapd/slapd.args
> olcLogLevel: none
> olcPidFile: /var/run/slapd/slapd.pid
> olcToolThreads: 1
> structuralObjectClass: olcGlobal
> entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4
> creatorsName: cn=config
> createTimestamp: 20221213065102Z
> olcPasswordCryptSaltFormat: $6$%.16s
> olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt
> olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key
> olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt
> olcTLSProtocolMin: 3.3
> entryCSN: 20221214054517.926245Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20221214054517Z
But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ?
> root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636
> Version: 2.0.7
> OpenSSL 1.1.1n 15 Mar 2022
>
> Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4
>
> Testing SSL server ldap.homebox.world on port 636 using SNI name
ldap.homebox.world
>
> SSL/TLS Protocols:
> SSLv2 disabled
> SSLv3 disabled
> TLSv1.0 enabled
> TLSv1.1 enabled
> TLSv1.2 enabled
> TLSv1.3 enabled
>
> TLS Fallback SCSV:
> Server supports TLS Fallback SCSV
>
> TLS renegotiation:
> Secure session renegotiation supported
>
> TLS Compression:
> OpenSSL version does not support compression
> Rebuild with zlib1g-dev package for zlib support
>
> Heartbleed:
> TLSv1.3 not vulnerable to heartbleed
> TLSv1.2 not vulnerable to heartbleed
> TLSv1.1 not vulnerable to heartbleed
> TLSv1.0 not vulnerable to heartbleed
>
> Supported Server Cipher(s):
> Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519
DHE 253
> Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519
DHE 253
> Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519
DHE 253
> Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519
DHE 253
> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519
DHE 253
> Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519
DHE 253
> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519
DHE 253
> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519
DHE 253
> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519
DHE 253
> Accepted TLSv1.2 256 bits AES256-GCM-SHA384
> Accepted TLSv1.2 256 bits AES256-CCM
> Accepted TLSv1.2 128 bits AES128-GCM-SHA256
> Accepted TLSv1.2 128 bits AES128-CCM
> Accepted TLSv1.2 256 bits AES256-SHA
> Accepted TLSv1.2 128 bits AES128-SHA
> Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519
DHE 253
> Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519
DHE 253
> Accepted TLSv1.1 256 bits AES256-SHA
> Accepted TLSv1.1 128 bits AES128-SHA
> Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519
DHE 253
> Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519
DHE 253
> Accepted TLSv1.0 256 bits AES256-SHA
> Accepted TLSv1.0 128 bits AES128-SHA
>
> Server Key Exchange Group(s):
> TLSv1.3 128 bits secp256r1 (NIST P-256)
> TLSv1.3 192 bits secp384r1 (NIST P-384)
> TLSv1.3 260 bits secp521r1 (NIST P-521)
> TLSv1.3 128 bits x25519
> TLSv1.3 224 bits x448
> TLSv1.3 112 bits ffdhe2048
> TLSv1.3 128 bits ffdhe3072
> TLSv1.3 150 bits ffdhe4096
> TLSv1.3 175 bits ffdhe6144
> TLSv1.3 192 bits ffdhe8192
> TLSv1.2 128 bits secp256r1 (NIST P-256)
> TLSv1.2 192 bits secp384r1 (NIST P-384)
> TLSv1.2 260 bits secp521r1 (NIST P-521)
> TLSv1.2 128 bits x25519
> TLSv1.2 224 bits x448
>
> SSL Certificate:
> Signature Algorithm: sha256WithRSAEncryption
> RSA Key Strength: 2048
>
> Subject: ldap.homebox.world
> Altnames: DNS:ldap.homebox.world
> Issuer: (STAGING) Artificial Apricot R3
>
> Not valid before: Dec 13 05:34:29 2022 GMT
> Not valid after: Mar 13 05:34:28 2023 GMT
Thanks for your insights.
Andre
Well, actually, this is the next issue.
For instance, here the LDIF file I use:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ldap.homebox.world.issuer.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap.homebox.world.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap.homebox.world.key
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3
-
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
And then, when I try to set the cipher suite:
root@main:/etc/ldap/changes# ldapmodify -QY EXTERNAL -H ldapi:/// -d 99 -f
/etc/ldap/changes/ssl-config.ldif
ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/slapd/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=main
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 26 bytes to sd > ldap_write: want=26, written=26
0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`..........
0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL..
ldap_msgfree
ldap_result ld 0x5615325c7bd0 msgid 1
wait4msg ld 0x5615325c7bd0 msgid 1 (infinite timeout)
wait4msg continue ld 0x5615325c7bd0 msgid 1 all 1
** ld 0x5615325c7bd0 Connections:
* host: (null) port: 0 (default)
refcnt: 2 status: Connected
last used: Wed Dec 14 05:47:30 2022
** ld 0x5615325c7bd0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x5615325c7bd0 request count 1 (abandoned 0)
** ld 0x5615325c7bd0 Response Queue:
Empty
ld 0x5615325c7bd0 response count 0
ldap_chkResponseList ld 0x5615325c7bd0 msgid 1 all 1
ldap_chkResponseList returns ld 0x5615325c7bd0 NULL
ldap_int_select
read1msg: ld 0x5615325c7bd0 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 61 07 0a 0....a..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x5615325c7bd0 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x5615325c7bd0 0 new referrals
read1msg: mark request completed, ld 0x5615325c7bd0 msgid 1
request done: ld 0x5615325c7bd0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: EXTERNAL
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
modifying entry "cn=config"
ldap_modify_ext
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 54 bytes to sd 4
ldap_write: want=54, written=54
0000: 30 34 02 01 02 66 2f 04 09 63 6e 3d 63 6f 6e 66 04...f/..cn=conf
0010: 69 67 30 22 30 20 0a 01 00 30 1b 04 11 6f 6c 63 ig0"0 ...0...olc
0020: 54 4c 53 43 69 70 68 65 72 53 75 69 74 65 31 06 TLSCipherSuite1.
0030: 04 04 48 49 47 48 ..HIGH
ldap_result ld 0x5615325c7bd0 msgid 2
wait4msg ld 0x5615325c7bd0 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x5615325c7bd0 msgid 2 all 1
** ld 0x5615325c7bd0 Connections:
* host: (null) port: 0 (default)
refcnt: 2 status: Connected
last used: Wed Dec 14 05:47:30 2022
** ld 0x5615325c7bd0 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x5615325c7bd0 request count 1 (abandoned 0)
** ld 0x5615325c7bd0 Response Queue:
Empty
ld 0x5615325c7bd0 response count 0
ldap_chkResponseList ld 0x5615325c7bd0 msgid 2 all 1
ldap_chkResponseList returns ld 0x5615325c7bd0 NULL
ldap_int_select
read1msg: ld 0x5615325c7bd0 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 02 67 07 0a 0....g..
ldap_read: want=6, got=6
0000: 01 50 04 00 04 00 .P....
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x5615325c7bd0 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x5615325c7bd0 0 new referrals
read1msg: mark request completed, ld 0x5615325c7bd0 msgid 2
request done: ld 0x5615325c7bd0 msgid 2
res_errno: 80, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_modify: Other (e.g., implementation specific) error (80)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
ldap_write: want=7, written=7
0000: 30 05 02 01 03 42 00 0....B.
ldap_free_connection: actually freed
I have the (in)famous "Other (e.g., implementation specific) error (80)"
I also tried the example given here: https://access.redhat.com/articles/1474813
EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
But same "implementation specific error"
However, if I remove the cipher suite, the ldap modify command is working.
Thanks for any advice.
