[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: enforce TLS 1.2 in OpenLDAP server side

Hello,

I am sorry for the inconveniences. I have filed a bug about this:
https://bugzilla.redhat.com/show_bug.cgi?id=1375432
This should be fixed with next release.

Regards.

Steve Zeng <steve.zeng@booking.com> writes:

> Thanks for the LDAP tool box packages. I will give it a try. 
>
> Quick questions, I ran ldd to find out which TLS/SSL library and it shows:
>
> # ldd /usr/sbin/slapd
>
>    linux-vdso.so.1 =>  (0x00007fff5b044000)
>    libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f3a36585000)
>    libdb-4.7.so => /lib64/libdb-4.7.so (0x00007f3a36211000)
>    libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f3a35ff6000)
>    libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f3a35dbf000)
>    libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f3a35ba5000)
>    libssl3.so => /usr/lib64/libssl3.so (0x00007f3a35965000)
>    libsmime3.so => /usr/lib64/libsmime3.so (0x00007f3a35739000)
>    libnss3.so => /usr/lib64/libnss3.so (0x00007f3a353fa000)
>    libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f3a351cd000)
>    libplds4.so => /lib64/libplds4.so (0x00007f3a34fc9000)
>    libplc4.so => /lib64/libplc4.so (0x00007f3a34dc4000)
>    libnspr4.so => /lib64/libnspr4.so (0x00007f3a34b85000)
>    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3a34968000)
>    libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f3a3475d000)
>    libc.so.6 => /lib64/libc.so.6 (0x00007f3a343c8000)
>    libdl.so.2 => /lib64/libdl.so.2 (0x00007f3a341c4000)
>    libfreebl3.so => /lib64/libfreebl3.so (0x00007f3a33f4d000)
>    libz.so.1 => /lib64/libz.so.1 (0x00007f3a33d36000)
>    librt.so.1 => /lib64/librt.so.1 (0x00007f3a33b2e000)
>    /lib64/ld-linux-x86-64.so.2 (0x00007f3a3679c000)
>    libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f3a33914000)
>
>
> # rpm -qf /usr/lib64/libssl3.so 
>
> nss-3.21.0-8.el6.x86_64
>
>
>
> Will that (the line containing libssl3.so) confirm it is the MozNSS libs? 
>
> I also tried the other settings and all clients immediately could not connect. It that a suggested settings for this purpose, or it is simply due to the wrong value I gave?
>
> olcTLSCipherSuite: ALL:!TLSv1.0:!TLSv1.1:!SSLv3
>
>
> Thanks,
> Steve
>
>
>
> On 9/12/16, 4:26 AM, "openldap-technical on behalf of Clément OUDOT" <openldap-technical-bounces@openldap.org on behalf of clement.oudot@savoirfairelinux.com> wrote:
>
>>
>>
>>Le 11/09/2016 à 03:25, Steve Zeng a écrit :
>>> Thanks for the note. So we need to rebuild it against OpenSSL?
>>>
>>>
>>
>>You can give a try to LDAP Tool Box packages which are built against 
>>OpenSSL:
>>* http://ltb-project.org/wiki/documentation/openldap-rpm
>>* http://ltb-project.org/wiki/download#openldap
>>
>>-- 
>>Clément OUDOT
>>Consultant en logiciels libres, Expert infrastructure et sécurité
>>Savoir-faire Linux
>>87, rue de Turbigo - 75003 PARIS
>>Blog: http://sflx.ca/coudot
>>

-- 
Matus Honek
Associate Software Engineer @ Red Hat, Inc.