[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
guenther+ldapdev@sendmail.com wrote:
> Full_Name: Philip Guenther
> Version:
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/guenther-080813.patch
> Submission from: (NULL) (64.58.1.252)
>
>
> It's time for SSL version 2.0 to die: it has numerous weaknesses and has been
> superseded by SSL version 3.0 and TLS version 1.0 for *years*. Indeed, the LDAP
> Start_Tls extended operation is defined by reference to the TLS standard.
>
> (It could be argued that a client that sends an SSLv2-compatible handshake after
> doing Start_Tls is non-compliant, or at least non-interoperable, as servers are
> only required to support true TLS handshakes.)
>
> As a first step, here's a patch against the CVS trunk that adds the ability to
> set the minimum TLS/SSL protocol from the C API (LDAP_OPT_X_TLS_PROTOCOL_MIN),
> the ldap.conf (TLS_PROTOCOL_MIN), and the slapd config
> (TLSProtocolMin/olcTLSProtocolMin). Possible settings are:
> C API ldap_[sg]et_option() ldap.conf/slapd config
> -----------------------------------------------------------
> LDAP_OPT_X_TLS_PROTOCOL_SSLv2 SSLv2
> LDAP_OPT_X_TLS_PROTOCOL_SSLv3 SSLv3
> LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0 TLSv1 OR TLSv1.0
Using an option flag for each protocol version seems excessive; it will be a
recurring maintenance burden because each new option flag reflects an API
change. (GnuTLS claims to already support TLSv1.2.)
This should use a single option flag and a numeric or bitfield argument for
selecting protocols instead. Since we're talking about minimum settings, it
should likely just be an increasing range of numbers.
I note that the on-the-wire protocol version is just a 16 bit integer; we
could define protocol names that correspond directly to these values.
> (1.0, because TLSv1.1 is already published, even though OpenSSL doesn't support
> it yet)
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/