[Date Prev][Date Next] [Chronological] [Thread] [Top]

Forcing TLS encryption

To: openldap-technical@openldap.org
Subject: Forcing TLS encryption
From: Wiebe Cazemier <wiebe@halfgaar.net>
Date: Fri, 21 Dec 2012 16:00:06 +0100 (CET)
In-reply-to: <898874689.9555.1356100764505.JavaMail.root@halfgaar.net>
Thread-index: xb+NmB2ujryadFC0rppqRJbx0PCKGA==
Thread-topic: Forcing TLS encryption

Hi, 

I'm trying to get slapd to reject non-encrypted connections, but nowhere can I find how you configure it to *only* accept TLS traffic. I just confirmed that our server accepts unencrypted traffic (with ldapsearch and tcpdump). Normally, I would just close the non-SSL port with IP tables, but using the SSL port is deprecated, apparently, so I don't have that option. 

So, with the cn=config SSL configuration commands, like this: 


dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/bla.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/bla.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ca.pem 



Is there a param for forcing TLS? I tried: 


dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: TLSv1+RSA:!NULL


but it doesn't work; the server doesn't start. Debug output: 


TLS: could not set cipher list TLSv1+RSA:!NULL.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy. 


Nor does "olcTLSCipherSuite: HIGH" work.

I looked in the openldap source code, but even there, I can't find how to do it.

Slapd: 2.4.21-0ubuntu5.7
Ubuntu: Ubuntu 10.04.4 LTS

Thanks,

Wiebe Cazemier

Follow-Ups:
- Re: Forcing TLS encryption
  - From: Chuck Lever <chuck.lever@oracle.com>

Prev by Date: Re: db_recover gives program version mismatch
Next by Date: Re: Forcing TLS encryption
Index(es):
- Chronological
- Thread