Hello everyone, I am trying to improve security in ApacheDS by limiting accepted protocols and ciphers for ldaps connection. To do that, I'm altering the ads-transportid=ldaps.ldif file. Example:
dn: ads-transportid=ldaps,ou=transports,ads-serverId= ldapServer,ou=servers,ads-directoryServiceId=default,ou=config ads-systemport: 10636 ads-transportenablessl: TRUE ads-transportaddress: 0.0.0.0 ads-transportid: ldaps objectclass: ads-transport objectclass: ads-tcpTransport objectClass: ads-base objectclass: top ads-enabled: TRUE *ads-enabledProtocols: TLSv1.1ads-enabledProtocols: TLSv1.2* *ads-wantClientAuth: true* *ads-needClientAuth: false* This code above successfully removes TLSv1.0 from being accepted. Here is result from nmap: $ nmap --script ssl-cert,ssl-enum-ciphers -p 10636 192.168.2.209 Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-25 19:52 CET Nmap scan report for vm-ubuntu (192.168.2.209) Host is up (0.00034s latency). PORT STATE SERVICE 10636/tcp open unknown | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256k1) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 512) - C | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - E | TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 1024) - E | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - F | TLS_DH_anon_WITH_AES_128_CBC_SHA - F | TLS_DH_anon_WITH_DES_CBC_SHA - F | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256k1) - E | TLS_ECDHE_RSA_WITH_NULL_SHA (secp256k1) - F | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - F | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F | TLS_ECDH_anon_WITH_NULL_SHA - F | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 512) - E | TLS_RSA_WITH_DES_CBC_SHA (rsa 512) - E | TLS_RSA_WITH_NULL_MD5 (rsa 512) - F | TLS_RSA_WITH_NULL_SHA (rsa 512) - F | compressors: | NULL | cipher preference: server | warnings: | Ciphersuite uses MD5 for message integrity | Weak certificate signature: SHA1 | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - E | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - C | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - C | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - F | TLS_DH_anon_WITH_AES_128_CBC_SHA - F | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256k1) - E | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256k1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256k1) - C | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256k1) - C | TLS_ECDHE_RSA_WITH_NULL_SHA (secp256k1) - F | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - F | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F | TLS_ECDH_anon_WITH_NULL_SHA - F | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 512) - E | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 512) - C | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 512) - C | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 512) - C | TLS_RSA_WITH_NULL_MD5 (rsa 512) - F | TLS_RSA_WITH_NULL_SHA (rsa 512) - F | TLS_RSA_WITH_NULL_SHA256 (rsa 512) - F | compressors: | NULL | cipher preference: client | warnings: | Ciphersuite uses MD5 for message integrity | Weak certificate signature: SHA1 |_ least strength: F Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds So, next step is limiting the ciphers. Lets say that I want only some of above ciphers. I pick some and put them in the same .ldif file (example): ads-enabledCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ads-enabledCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ads-enabledCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 After restarting ApacheDS, result of the same nmap command is the same as before. What am I doing wrong? Am I putting these parameter in correct place? I know ads-enabledCiphers entries are being read because when I put nonexisting cipher there, ADS wont accept any connections. Also, does ApacheDS use system-wide security providers (defined in java.security) or has its own set defined somewhere? Many thanks, Tom
