Locking down ciphers in OpenLDAP with GnuTLS

To: openldap-technical@openldap.org

Subject: Locking down ciphers in OpenLDAP with GnuTLS

From: Philip Colmer <philip.colmer@linaro.org>

Date: Thu, 7 Feb 2019 16:50:58 +0000

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=gVq74UpRAsBcmxSbHN2B0cKolMTCn6sm5j/5ERneUFg=; b=Yd6oJx2qEjy32r9Fxfo5iA9BawSbZnTvHLs0Ipmx4ZZZA4TZJG3ZfhdDffOb/dDrXl 7HN9mxb8vZFWUFwm7Xlf8ezuAjXXVLrqVBso2QRavvGIUL+H+53gFhCD/ve9Ju6zx1Tp Uwpvhrd8hSb7dTFxLQJfSRIe5YDgAKyXiGG9DKolT28JkZPqyBDIj79jKmx7Zg5G2GNr pF0NnqmMJ9mMWNDidq6/COYFw419kMLTf/8HfFJbFjBNymzbTnsbyGXRQYgzRQbStwII g83YCnt0PyLI5LrYKdI4v/vk/oMIkg4r/2pM9tVv69DPfcUc1fKf/BkoUpgMm9PeH9pe fJPw==

I want to restrict the cipher suites used in OpenLDAP so that only TLS1.2 is supported.

Looking at https://openldap.org/doc/admin24/tls.html, I first tried setting olcTLSCipherSuite to "HIGH" but the LDAP server gave an error 80 and then stopped accepted further connections until I restarted it.

Since our OpenLDAP installation has been built with GnuTLS, I'm presuming that I have to explicitly list out the GnuTLS cipher suites I want to use. I've used gnutls-cli to list out the cipher suites that support PFS and then extracted the ones that are TLS1.2.

So, just to confirm, do I need to provide a colon-separated list of each and every cipher suite or is there a GnuTLS shorthand that I can use?

Regards

Philip