Hi everyone
Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ?
See below why I ask :
I have used the following configuration in my slapd servers for quite a while without any problem :
olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt
olcTLSCertificateFile: /etc/openldap/cacerts/server.crt
olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key
olcTLSCipherSuite: HIGH
olcTLSVerifyClient: allow
See for example my configuration for syncrepl (see: tls_reqcert=demand) :
olcSyncrepl: {0}rid=411 provider=ldap://
ldap1.example.fr bindmethod=sasl
sizelimit=unlimited timeout=0 network-timeout=0 saslmech=external type
=refreshAndPersist retry="5 +" starttls=yes tls_cacert=/etc/openldap/cacer
ts/CA.crt tls_cert=/etc/openldap/cacerts/replicator.crt tls_key=/etc/openldap
/cacerts/replicator.key scope=sub schemachecking=on keepalive=0:0:0 fil
ter="(objectclass=*)" searchbase="dc=example,dc=fr" tls_reqcert=demand
-> I have used this for couple of years on my multimastered ldap servers, and until yesterday that worked perfectly : replication was working properly and clients talked with the servers using TLS without any problem.
But I since my certicates were too weak (see this : sha1, 512 bit) :
$ openssl x509 -text -in server.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13998752034197585248 (0xc2458ece791fbd60)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=
ldap@example.fr Validity
Not Before: Dec 29 15:41:56 2011 GMT
Not After : Jul 29 15:41:56 2021 GMT
Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN=
ldap1.example.fr/emailAddress=ldap@example.fr Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
I have renewed them using the same self signed authority to validate them, and of course using exactly the same subject. My new certificate look like this :
$ openssl x509 -text -in server.crt (see this : sha2, 4096 bit) :
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 10208063777793278590 (0x8daa53ebd7e6827e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=
ldap@example.fr Validity
Not Before: Jul 22 15:24:50 2015 GMT
Not After : Feb 19 15:24:50 2025 GMT
Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN=
ldap1.example.fr/emailAddress=ldap@example.fr Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
I installed my new certificate on ldap1 without changing the configuration, and restarting the server here is what I get on ldap4 logs (loglevel = sync ) :
$ tail -f /var/log/ldap.log
...
Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap://
ldap1.example.fr Warning, ldap_start_tls failed (-11)
Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap://
ldap1.example.fr ldap_sasl_interactive_bind_s failed (-2)
Jul 22 17:31:10 ldap4 slapd[53489]: do_syncrepl: rid=432 rc -2 retrying
Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect:
URI=ldap://
ldap1.example.fr Warning, ldap_start_tls failed (-11)
Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap://
ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6)
Jul 22 17:31:15 ldap4-mrs slapd[53489]: do_syncrepl: rid=432 rc -6 retrying
When reinstalling the previous certificates and restarting ldap1 the server I see this appearing in ldap4 logs :
...
Jul 22 17:31:20 ldap4-mrs slapd[53489]: do_syncrep2: rid=432 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
Question : are there some limitations (key size, encryption algorithm,
etc.) for certificates used by openldap to manage TLS connexions ? Does openldap tls connections work with certificates sha 256 With RSA Encryption using a 4096 public key length ? May be I missed something ?
(note : I use openssl to manage my certificates)
Thanks for any help.
---
Olivier