[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: enforce TLS 1.2 in OpenLDAP server side

Thanks for the LDAP tool box packages. I will give it a try. 

Quick questions, I ran ldd to find out which TLS/SSL library and it shows:

# ldd /usr/sbin/slapd

   linux-vdso.so.1 =>  (0x00007fff5b044000)
   libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f3a36585000)
   libdb-4.7.so => /lib64/libdb-4.7.so (0x00007f3a36211000)
   libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f3a35ff6000)
   libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f3a35dbf000)
   libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f3a35ba5000)
   libssl3.so => /usr/lib64/libssl3.so (0x00007f3a35965000)
   libsmime3.so => /usr/lib64/libsmime3.so (0x00007f3a35739000)
   libnss3.so => /usr/lib64/libnss3.so (0x00007f3a353fa000)
   libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f3a351cd000)
   libplds4.so => /lib64/libplds4.so (0x00007f3a34fc9000)
   libplc4.so => /lib64/libplc4.so (0x00007f3a34dc4000)
   libnspr4.so => /lib64/libnspr4.so (0x00007f3a34b85000)
   libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3a34968000)
   libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f3a3475d000)
   libc.so.6 => /lib64/libc.so.6 (0x00007f3a343c8000)
   libdl.so.2 => /lib64/libdl.so.2 (0x00007f3a341c4000)
   libfreebl3.so => /lib64/libfreebl3.so (0x00007f3a33f4d000)
   libz.so.1 => /lib64/libz.so.1 (0x00007f3a33d36000)
   librt.so.1 => /lib64/librt.so.1 (0x00007f3a33b2e000)
   /lib64/ld-linux-x86-64.so.2 (0x00007f3a3679c000)
   libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f3a33914000)


# rpm -qf /usr/lib64/libssl3.so 

nss-3.21.0-8.el6.x86_64



Will that (the line containing libssl3.so) confirm it is the MozNSS libs? 

I also tried the other settings and all clients immediately could not connect. It that a suggested settings for this purpose, or it is simply due to the wrong value I gave?

olcTLSCipherSuite: ALL:!TLSv1.0:!TLSv1.1:!SSLv3


Thanks,
Steve



On 9/12/16, 4:26 AM, "openldap-technical on behalf of Clément OUDOT" <openldap-technical-bounces@openldap.org on behalf of clement.oudot@savoirfairelinux.com> wrote:

>
>
>Le 11/09/2016 à 03:25, Steve Zeng a écrit :
>> Thanks for the note. So we need to rebuild it against OpenSSL?
>>
>>
>
>You can give a try to LDAP Tool Box packages which are built against 
>OpenSSL:
>* http://ltb-project.org/wiki/documentation/openldap-rpm
>* http://ltb-project.org/wiki/download#openldap
>
>-- 
>Clément OUDOT
>Consultant en logiciels libres, Expert infrastructure et sécurité
>Savoir-faire Linux
>87, rue de Turbigo - 75003 PARIS
>Blog: http://sflx.ca/coudot
>