Try "NORMAL:-RSA" Your version is probably build against gnutls instead of openssl
See: the manual on TLSCipherSuite On Wed, Dec 14, 2022, 08:41 Andre Rodier <[email protected]> wrote: > On 14/12/2022 07:32, Erik de Waard wrote: > > Hi, > > > > Take a look at TLSCipherSuite > > > > Erik > > > > On Wed, Dec 14, 2022, 07:23 Andre Rodier <[email protected] <mailto: > [email protected]>> wrote: > > > > Hello, > > > > I have configured OpenLDAP using SSL certificate, but I have a few > issues. > > > > Here the TLS configuration, especially "olcTLSProtocolMin: 3.3" > > > > > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. > > > # CRC32 c70363a6 > > > dn: cn=config > > > objectClass: olcGlobal > > > cn: config > > > olcArgsFile: /var/run/slapd/slapd.args > > > olcLogLevel: none > > > olcPidFile: /var/run/slapd/slapd.pid > > > olcToolThreads: 1 > > > structuralObjectClass: olcGlobal > > > entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4 > > > creatorsName: cn=config > > > createTimestamp: 20221213065102Z > > > olcPasswordCryptSaltFormat: $6$%.16s > > > olcTLSCACertificateFile: > /etc/ldap/certs/ldap.homebox.world.issuer.crt > > > olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key > > > olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt > > > olcTLSProtocolMin: 3.3 > > > entryCSN: 20221214054517.926245Z#000000#000#000000 > > > modifiersName: > gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > > > modifyTimestamp: 20221214054517Z > > > > But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. > Why ? > > > > > root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636 > > > Version: 2.0.7 > > > OpenSSL 1.1.1n 15 Mar 2022 > > > > > > Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4 > > > > > > Testing SSL server ldap.homebox.world on port 636 using SNI name > ldap.homebox.world > > > > > > SSL/TLS Protocols: > > > SSLv2 disabled > > > SSLv3 disabled > > > TLSv1.0 enabled > > > TLSv1.1 enabled > > > TLSv1.2 enabled > > > TLSv1.3 enabled > > > > > > TLS Fallback SCSV: > > > Server supports TLS Fallback SCSV > > > > > > TLS renegotiation: > > > Secure session renegotiation supported > > > > > > TLS Compression: > > > OpenSSL version does not support compression > > > Rebuild with zlib1g-dev package for zlib support > > > > > > Heartbleed: > > > TLSv1.3 not vulnerable to heartbleed > > > TLSv1.2 not vulnerable to heartbleed > > > TLSv1.1 not vulnerable to heartbleed > > > TLSv1.0 not vulnerable to heartbleed > > > > > > Supported Server Cipher(s): > > > Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve > 25519 DHE 253 > > > Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve > 25519 DHE 253 > > > Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve > 25519 DHE 253 > > > Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve > 25519 DHE 253 > > > Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve > 25519 DHE 253 > > > Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve > 25519 DHE 253 > > > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve > 25519 DHE 253 > > > Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve > 25519 DHE 253 > > > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve > 25519 DHE 253 > > > Accepted TLSv1.2 256 bits AES256-GCM-SHA384 > > > Accepted TLSv1.2 256 bits AES256-CCM > > > Accepted TLSv1.2 128 bits AES128-GCM-SHA256 > > > Accepted TLSv1.2 128 bits AES128-CCM > > > Accepted TLSv1.2 256 bits AES256-SHA > > > Accepted TLSv1.2 128 bits AES128-SHA > > > Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve > 25519 DHE 253 > > > Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve > 25519 DHE 253 > > > Accepted TLSv1.1 256 bits AES256-SHA > > > Accepted TLSv1.1 128 bits AES128-SHA > > > Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve > 25519 DHE 253 > > > Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve > 25519 DHE 253 > > > Accepted TLSv1.0 256 bits AES256-SHA > > > Accepted TLSv1.0 128 bits AES128-SHA > > > > > > Server Key Exchange Group(s): > > > TLSv1.3 128 bits secp256r1 (NIST P-256) > > > TLSv1.3 192 bits secp384r1 (NIST P-384) > > > TLSv1.3 260 bits secp521r1 (NIST P-521) > > > TLSv1.3 128 bits x25519 > > > TLSv1.3 224 bits x448 > > > TLSv1.3 112 bits ffdhe2048 > > > TLSv1.3 128 bits ffdhe3072 > > > TLSv1.3 150 bits ffdhe4096 > > > TLSv1.3 175 bits ffdhe6144 > > > TLSv1.3 192 bits ffdhe8192 > > > TLSv1.2 128 bits secp256r1 (NIST P-256) > > > TLSv1.2 192 bits secp384r1 (NIST P-384) > > > TLSv1.2 260 bits secp521r1 (NIST P-521) > > > TLSv1.2 128 bits x25519 > > > TLSv1.2 224 bits x448 > > > > > > SSL Certificate: > > > Signature Algorithm: sha256WithRSAEncryption > > > RSA Key Strength: 2048 > > > > > > Subject: ldap.homebox.world > > > Altnames: DNS:ldap.homebox.world > > > Issuer: (STAGING) Artificial Apricot R3 > > > > > > Not valid before: Dec 13 05:34:29 2022 GMT > > > Not valid after: Mar 13 05:34:28 2023 GMT > > > > Thanks for your insights. > > > > Andre > > > > Well, actually, this is the next issue. > > For instance, here the LDIF file I use: > > > dn: cn=config > > add: olcTLSCACertificateFile > > olcTLSCACertificateFile: /etc/ssl/certs/ldap.homebox.world.issuer.crt > > - > > add: olcTLSCertificateFile > > olcTLSCertificateFile: /etc/ssl/certs/ldap.homebox.world.crt > > - > > add: olcTLSCertificateKeyFile > > olcTLSCertificateKeyFile: /etc/ssl/private/ldap.homebox.world.key > > - > > add: olcTLSProtocolMin > > olcTLSProtocolMin: 3.3 > > - > > add: olcTLSCipherSuite > > olcTLSCipherSuite: HIGH > > And then, when I try to set the cipher suite: > > > root@main:/etc/ldap/changes# ldapmodify -QY EXTERNAL -H ldapi:/// -d 99 > -f /etc/ldap/changes/ssl-config.ldif > > ldap_url_parse_ext(ldapi:///) > > ldap_create > > ldap_url_parse_ext(ldapi:///??base) > > ldap_sasl_interactive_bind: user selected: EXTERNAL > > ldap_int_sasl_bind: EXTERNAL > > ldap_new_connection 1 1 0 > > ldap_int_open_connection > > ldap_connect_to_path > > ldap_new_socket: 4 > > ldap_connect_to_path: Trying /var/run/slapd/ldapi > > ldap_connect_timeout: fd: 4 tm: -1 async: 0 > > ldap_ndelay_on: 4 > > ldap_ndelay_off: 4 > > ldap_int_sasl_open: host=main > > ldap_sasl_bind > > ldap_send_initial_request > > ldap_send_server_request > > ber_scanf fmt ({it) ber: > > ber_scanf fmt ({i) ber: > > ber_flush2: 26 bytes to sd > ldap_write: want=26, written=26 > > 0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 > 0....`.......... > > 0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL.. > > ldap_msgfree > > ldap_result ld 0x5615325c7bd0 msgid 1 > > wait4msg ld 0x5615325c7bd0 msgid 1 (infinite timeout) > > wait4msg continue ld 0x5615325c7bd0 msgid 1 all 1 > > ** ld 0x5615325c7bd0 Connections: > > * host: (null) port: 0 (default) > > refcnt: 2 status: Connected > > last used: Wed Dec 14 05:47:30 2022 > > > > > > ** ld 0x5615325c7bd0 Outstanding Requests: > > * msgid 1, origid 1, status InProgress > > outstanding referrals 0, parent count 0 > > ld 0x5615325c7bd0 request count 1 (abandoned 0) > > ** ld 0x5615325c7bd0 Response Queue: > > Empty > > ld 0x5615325c7bd0 response count 0 > > ldap_chkResponseList ld 0x5615325c7bd0 msgid 1 all 1 > > ldap_chkResponseList returns ld 0x5615325c7bd0 NULL > > ldap_int_select > > read1msg: ld 0x5615325c7bd0 msgid 1 all 1 > > ber_get_next > > ldap_read: want=8, got=8 > > 0000: 30 0c 02 01 01 61 07 0a 0....a.. > > ldap_read: want=6, got=6 > > 0000: 01 00 04 00 04 00 ...... > > ber_get_next: tag 0x30 len 12 contents: > > read1msg: ld 0x5615325c7bd0 msgid 1 message type bind > > ber_scanf fmt ({eAA) ber: > > read1msg: ld 0x5615325c7bd0 0 new referrals > > read1msg: mark request completed, ld 0x5615325c7bd0 msgid 1 > > request done: ld 0x5615325c7bd0 msgid 1 > > res_errno: 0, res_error: <>, res_matched: <> > > ldap_free_request (origid 1, msgid 1) > > ldap_int_sasl_bind: EXTERNAL > > ldap_parse_sasl_bind_result > > ber_scanf fmt ({eAA) ber: > > ldap_parse_result > > ber_scanf fmt ({iAA) ber: > > ber_scanf fmt (}) ber: > > ldap_msgfree > > modifying entry "cn=config" > > ldap_modify_ext > > ldap_send_initial_request > > ldap_send_server_request > > ber_scanf fmt ({it) ber: > > ber_scanf fmt ({) ber: > > ber_flush2: 54 bytes to sd 4 > > ldap_write: want=54, written=54 > > 0000: 30 34 02 01 02 66 2f 04 09 63 6e 3d 63 6f 6e 66 > 04...f/..cn=conf > > 0010: 69 67 30 22 30 20 0a 01 00 30 1b 04 11 6f 6c 63 ig0"0 > ...0...olc > > 0020: 54 4c 53 43 69 70 68 65 72 53 75 69 74 65 31 06 > TLSCipherSuite1. > > 0030: 04 04 48 49 47 48 ..HIGH > > ldap_result ld 0x5615325c7bd0 msgid 2 > > wait4msg ld 0x5615325c7bd0 msgid 2 (timeout 100000 usec) > > wait4msg continue ld 0x5615325c7bd0 msgid 2 all 1 > > ** ld 0x5615325c7bd0 Connections: > > * host: (null) port: 0 (default) > > refcnt: 2 status: Connected > > last used: Wed Dec 14 05:47:30 2022 > > > > > > ** ld 0x5615325c7bd0 Outstanding Requests: > > * msgid 2, origid 2, status InProgress > > outstanding referrals 0, parent count 0 > > ld 0x5615325c7bd0 request count 1 (abandoned 0) > > ** ld 0x5615325c7bd0 Response Queue: > > Empty > > ld 0x5615325c7bd0 response count 0 > > ldap_chkResponseList ld 0x5615325c7bd0 msgid 2 all 1 > > ldap_chkResponseList returns ld 0x5615325c7bd0 NULL > > ldap_int_select > > read1msg: ld 0x5615325c7bd0 msgid 2 all 1 > > ber_get_next > > ldap_read: want=8, got=8 > > 0000: 30 0c 02 01 02 67 07 0a 0....g.. > > ldap_read: want=6, got=6 > > 0000: 01 50 04 00 04 00 .P.... > > ber_get_next: tag 0x30 len 12 contents: > > read1msg: ld 0x5615325c7bd0 msgid 2 message type modify > > ber_scanf fmt ({eAA) ber: > > read1msg: ld 0x5615325c7bd0 0 new referrals > > read1msg: mark request completed, ld 0x5615325c7bd0 msgid 2 > > request done: ld 0x5615325c7bd0 msgid 2 > > res_errno: 80, res_error: <>, res_matched: <> > > ldap_free_request (origid 2, msgid 2) > > ldap_parse_result > > ber_scanf fmt ({iAA) ber: > > ber_scanf fmt (}) ber: > > ldap_msgfree > > ldap_err2string > > ldap_modify: Other (e.g., implementation specific) error (80) > > > > ldap_free_connection 1 1 > > ldap_send_unbind > > ber_flush2: 7 bytes to sd 4 > > ldap_write: want=7, written=7 > > 0000: 30 05 02 01 03 42 00 0....B. > > ldap_free_connection: actually freed > > > I have the (in)famous "Other (e.g., implementation specific) error (80)" > > I also tried the example given here: > https://access.redhat.com/articles/1474813 > > > > EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES > > But same "implementation specific error" > > However, if I remove the cipher suite, the ldap modify command is working. > > Thanks for any advice. >
