Re: openldap TLSv1.0 is enabled

Wed, 14 Dec 2022 07:46:15 -0800 

Hi,

Take a look at TLSCipherSuite

Erik

On Wed, Dec 14, 2022, 07:23 Andre Rodier <[email protected]> wrote:

> Hello,
>
> I have configured OpenLDAP using SSL certificate, but I have a few issues.
>
> Here the TLS configuration, especially "olcTLSProtocolMin: 3.3"
>
> > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> > # CRC32 c70363a6
> > dn: cn=config
> > objectClass: olcGlobal
> > cn: config
> > olcArgsFile: /var/run/slapd/slapd.args
> > olcLogLevel: none
> > olcPidFile: /var/run/slapd/slapd.pid
> > olcToolThreads: 1
> > structuralObjectClass: olcGlobal
> > entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4
> > creatorsName: cn=config
> > createTimestamp: 20221213065102Z
> > olcPasswordCryptSaltFormat: $6$%.16s
> > olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt
> > olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key
> > olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt
> > olcTLSProtocolMin: 3.3
> > entryCSN: 20221214054517.926245Z#000000#000#000000
> > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > modifyTimestamp: 20221214054517Z
>
> But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ?
>
> > root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636
> > Version: 2.0.7
> > OpenSSL 1.1.1n  15 Mar 2022
> >
> > Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4
> >
> > Testing SSL server ldap.homebox.world on port 636 using SNI name
> ldap.homebox.world
> >
> >   SSL/TLS Protocols:
> > SSLv2     disabled
> > SSLv3     disabled
> > TLSv1.0   enabled
> > TLSv1.1   enabled
> > TLSv1.2   enabled
> > TLSv1.3   enabled
> >
> >   TLS Fallback SCSV:
> > Server supports TLS Fallback SCSV
> >
> >   TLS renegotiation:
> > Secure session renegotiation supported
> >
> >   TLS Compression:
> > OpenSSL version does not support compression
> > Rebuild with zlib1g-dev package for zlib support
> >
> >   Heartbleed:
> > TLSv1.3 not vulnerable to heartbleed
> > TLSv1.2 not vulnerable to heartbleed
> > TLSv1.1 not vulnerable to heartbleed
> > TLSv1.0 not vulnerable to heartbleed
> >
> >   Supported Server Cipher(s):
> > Preferred TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519
> DHE 253
> > Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519
> DHE 253
> > Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519
> DHE 253
> > Accepted  TLSv1.3  128 bits  TLS_AES_128_CCM_SHA256        Curve 25519
> DHE 253
> > Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519
> DHE 253
> > Accepted  TLSv1.2  256 bits  ECDHE-RSA-CHACHA20-POLY1305   Curve 25519
> DHE 253
> > Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519
> DHE 253
> > Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve 25519
> DHE 253
> > Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve 25519
> DHE 253
> > Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
> > Accepted  TLSv1.2  256 bits  AES256-CCM
> > Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
> > Accepted  TLSv1.2  128 bits  AES128-CCM
> > Accepted  TLSv1.2  256 bits  AES256-SHA
> > Accepted  TLSv1.2  128 bits  AES128-SHA
> > Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve 25519
> DHE 253
> > Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve 25519
> DHE 253
> > Accepted  TLSv1.1  256 bits  AES256-SHA
> > Accepted  TLSv1.1  128 bits  AES128-SHA
> > Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve 25519
> DHE 253
> > Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve 25519
> DHE 253
> > Accepted  TLSv1.0  256 bits  AES256-SHA
> > Accepted  TLSv1.0  128 bits  AES128-SHA
> >
> >   Server Key Exchange Group(s):
> > TLSv1.3  128 bits  secp256r1 (NIST P-256)
> > TLSv1.3  192 bits  secp384r1 (NIST P-384)
> > TLSv1.3  260 bits  secp521r1 (NIST P-521)
> > TLSv1.3  128 bits  x25519
> > TLSv1.3  224 bits  x448
> > TLSv1.3  112 bits  ffdhe2048
> > TLSv1.3  128 bits  ffdhe3072
> > TLSv1.3  150 bits  ffdhe4096
> > TLSv1.3  175 bits  ffdhe6144
> > TLSv1.3  192 bits  ffdhe8192
> > TLSv1.2  128 bits  secp256r1 (NIST P-256)
> > TLSv1.2  192 bits  secp384r1 (NIST P-384)
> > TLSv1.2  260 bits  secp521r1 (NIST P-521)
> > TLSv1.2  128 bits  x25519
> > TLSv1.2  224 bits  x448
> >
> >   SSL Certificate:
> > Signature Algorithm: sha256WithRSAEncryption
> > RSA Key Strength:    2048
> >
> > Subject:  ldap.homebox.world
> > Altnames: DNS:ldap.homebox.world
> > Issuer:   (STAGING) Artificial Apricot R3
> >
> > Not valid before: Dec 13 05:34:29 2022 GMT
> > Not valid after:  Mar 13 05:34:28 2023 GMT
>
> Thanks for your insights.
>
> Andre
>

Reply via email to