[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: undocumented TLSProtocolMin

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: undocumented TLSProtocolMin
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Tue, 23 Jul 2013 10:00:36 -0700
Cc: Manuel Gaupp <mgaupp@googlemail.com>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1374598839; bh=vmJT+gNxrcZhOvXnGcxwxIXIfJNqYQHBsk+05dKaiUo=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=WEHI+o6Ak7oicOiPz+IC9DCi+gf47PYFIae//7f/Qj7J8P9SlgDms7kI3g+DfshK/ ONmaOF8xiWLVXHjqfiZ5aD6F+UDa+JH1xpDkTDGFUTC4doIOcQVGqEJn5bEyMMlYAc Pkt736zZJS2UXQLCleritY/RXg7LEKvEN6u2sbW8=
In-reply-to: <64DA6F41128A8E78086712B0@[192.168.1.22]>
References: <67E1499A-E2B6-401E-877A-B8EB7D1BB34A@googlemail.com> <64DA6F41128A8E78086712B0@[192.168.1.22]>
User-agent: Alpine 2.03 (BSO 1266 2009-07-14)

On Tue, 23 Jul 2013, Quanah Gibson-Mount wrote:
> --On Tuesday, July 23, 2013 1:11 PM +0200 Manuel Gaupp <mgaupp@googlemail.com>
> wrote:
> > OpenLDAP seems to support an undocumented configuration parameter
> > "TLSProtocolMin" when linked against OpenSSL. It allows to set the
> > minimum SSL/TLS protocol version:
> > 
> > * TLSProtocolMin 768   # (3 << 8) disables SSLv2
> > * TLSProtocolMin 769   # ((3 << 8)+1) disables SSLv2 and SSLv3
> > 
> > As there's no documentation for TLSProtocolMin:
> > Is this feature ready for production or is it experimental?
> 
> Please file an ITS about its lack of documentation:
> http://www.openldap.org/its

My original ITS for this included an update for ldap.conf(5) which was 
never committed:

http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=5655

I thought I had a diff for slapd.conf(5) as well, but I don't see it in 
the src trees I have on hand.  Maybe it's in that backup at home.  The 
bulk of the wording can be shared with the ldap.conf(5) diff, of course.


That reminds me: now that newer versions of OpenSSL have support for TLS 
1.1 and 1.2, including the ability to disable them, here's a diff to add 
support for doing so in OpenLDAP.  Build tested only.

Philip Guenther

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 24d43ee..3c077f8 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -219,6 +219,25 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 			(const unsigned char *) "OpenLDAP", sizeof("OpenLDAP")-1 );
 	}
 
+#ifdef SSL_OP_NO_TLSv1
+#ifdef SSL_OP_NO_TLSv1_1
+#ifdef SSL_OP_NO_TLSv1_2
+	if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2)
+		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+			SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
+			SSL_OP_NO_TLSv1_2 );
+	else
+#endif
+	if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_1)
+		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+			SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 );
+	else
+#endif
+	if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_0)
+		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+			SSL_OP_NO_TLSv1);
+	else
+#endif
 	if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
 		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
 	else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )

References:
- undocumented TLSProtocolMin
  - From: Manuel Gaupp <mgaupp@googlemail.com>
- Re: undocumented TLSProtocolMin
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: undocumented TLSProtocolMin
Next by Date: Re: root cannot change user password with command "passwd", sssd, pam, openldap
Index(es):
- Chronological
- Thread