On Wed, 22 Oct 2014, Peter Boguszewski wrote:
I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6) when
attempting to disable SSLv3. I have compiled the servers with the
--with-tls=openssl option and communication appears to be working well between
servers to matter what I have for SSL Protocol. My problems are with the
clients.
For client configuration I install the openldap-clients package via yum
install. Everything works as expected with this setting on the server side:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2
as soon as I modify the +SSLv3 to -SSLv3 to this:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
the client no longer works.
Cipher suites are not protocol versions. To configure slapd to only
negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented
in slapd-config(5).
If you want to understand what what your cipher suite specification was
doing then you should
1) read the ciphers(1) manpage (or maybe the CIPHERS section of the
openssl(1) manpage), and
2) test them with the "openssl ciphers -v" ciphers command, ala
openssl ciphers -v HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
You'll quickly find out that "TLSv1.1" isn't a valid specifier, nor is
"TLSv1.0", and ciphers covered by "SSLv3" are also used by TLS. Your last
request therefore disabled all the pre-TLSv1.2 ciphers.
To require TLSv1.0 or higher with 128bit and longer ciphers you probably
just want:
olcTLSProtocolMin: 3.1
olcTLSCipherSuite: HIGH
...
Is there a solution to LDAP auth for RHEL clients with only allowind
TLSv1.2? I will gladly compile from source or use the LTB Project rpms.
It seems your client systems don't actually support the TLSv1.2 ciphers.
You'll need to fix that by building against a crypto library which
actually supports them before you can try to require it.
Philip