[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing TLS encryption



On Dec 21, 2012, at 10:00 AM, Wiebe Cazemier <wiebe@halfgaar.net> wrote:

> Hi, 
> 
> I'm trying to get slapd to reject non-encrypted connections, but nowhere can I find how you configure it to *only* accept TLS traffic. I just confirmed that our server accepts unencrypted traffic (with ldapsearch and tcpdump). Normally, I would just close the non-SSL port with IP tables, but using the SSL port is deprecated, apparently, so I don't have that option. 
> 
> So, with the cn=config SSL configuration commands, like this: 
> 
> 
> dn: cn=config
> changetype:modify
> replace: olcTLSCertificateKeyFile
> olcTLSCertificateKeyFile: /etc/ssl/bla.key
> -
> replace: olcTLSCertificateFile
> olcTLSCertificateFile: /etc/ssl/bla.crt
> -
> replace: olcTLSCACertificateFile
> olcTLSCACertificateFile: /etc/ssl/ca.pem 
> 
> 
> 
> Is there a param for forcing TLS? I tried: 
> 
> 
> dn: cn=config
> changetype: modify
> replace: olcTLSCipherSuite
> olcTLSCipherSuite: TLSv1+RSA:!NULL
> 
> 
> but it doesn't work; the server doesn't start. Debug output: 
> 
> 
> TLS: could not set cipher list TLSv1+RSA:!NULL.
> main: TLS init def ctx failed: -1
> slapd destroy: freeing system resources.
> slapd stopped.
> connections_destroy: nothing to destroy. 
> 
> 
> Nor does "olcTLSCipherSuite: HIGH" work.
> 
> I looked in the openldap source code, but even there, I can't find how to do it.
> 
> Slapd: 2.4.21-0ubuntu5.7
> Ubuntu: Ubuntu 10.04.4 LTS

I added an olcSecurity attribute to the database directives for the parts of the server's DIT where I wish to require TLS.  To start with I set the value "tls=1".

See also:

  http://itsecureadmin.com/tag/openldap/

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com