[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Redhat LDAP Client Issues when disabling SSLv3
On Wed, 22 Oct 2014, Peter Boguszewski wrote:
> I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6) when
> attempting to disable SSLv3. I have compiled the servers with the
> --with-tls=openssl option and communication appears to be working well between
> servers to matter what I have for SSL Protocol. My problems are with the
> clients.
>
> For client configuration I install the openldap-clients package via yum
> install. Everything works as expected with this setting on the server side:
>
> olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2
>
> as soon as I modify the +SSLv3 to -SSLv3 to this:
>
> olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
>
> the client no longer works.
Cipher suites are not protocol versions. To configure slapd to only
negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented
in slapd-config(5).
If you want to understand what what your cipher suite specification was
doing then you should
1) read the ciphers(1) manpage (or maybe the CIPHERS section of the
openssl(1) manpage), and
2) test them with the "openssl ciphers -v" ciphers command, ala
openssl ciphers -v HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
You'll quickly find out that "TLSv1.1" isn't a valid specifier, nor is
"TLSv1.0", and ciphers covered by "SSLv3" are also used by TLS. Your last
request therefore disabled all the pre-TLSv1.2 ciphers.
To require TLSv1.0 or higher with 128bit and longer ciphers you probably
just want:
olcTLSProtocolMin: 3.1
olcTLSCipherSuite: HIGH
...
> Is there a solution to LDAP auth for RHEL clients with only allowind
> TLSv1.2? I will gladly compile from source or use the LTB Project rpms.
It seems your client systems don't actually support the TLSv1.2 ciphers.
You'll need to fix that by building against a crypto library which
actually supports them before you can try to require it.
Philip