[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Redhat LDAP Client Issues when disabling SSLv3



Thanks for the quick response. I was also messing with the olcTLSProtocolMin settings and seeing similar issues (which are now verified by your answer). It appears as though RHEL 6.x does not support TLS1.1 nor TLS1.2 with the yum installed packages.

Pete

On 10/22/2014 4:29 PM, Philip Guenther wrote:
On Wed, 22 Oct 2014, Peter Boguszewski wrote:
I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6) when
attempting to disable SSLv3.  I have compiled the servers with the
--with-tls=openssl option and communication appears to be working well between
servers to matter what I have for SSL Protocol.  My problems are with the
clients.

For client configuration I install the openldap-clients package via yum
install.  Everything works as expected with this setting on the server side:

olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2

as soon as I modify the +SSLv3 to -SSLv3 to this:

olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2

the client no longer works.
Cipher suites are not protocol versions.  To configure slapd to only
negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented
in slapd-config(5).

If you want to understand what what your cipher suite specification was
doing then you should

1) read the ciphers(1) manpage (or maybe the CIPHERS section of the
    openssl(1) manpage), and

2) test them with the "openssl ciphers -v" ciphers command, ala
	openssl ciphers -v HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2

You'll quickly find out that "TLSv1.1" isn't a valid specifier, nor is
"TLSv1.0", and ciphers covered by "SSLv3" are also used by TLS.  Your last
request therefore disabled all the pre-TLSv1.2 ciphers.

To require TLSv1.0 or higher with 128bit and longer ciphers you probably
just want:
	olcTLSProtocolMin: 3.1
	olcTLSCipherSuite: HIGH


...
Is there a solution to LDAP auth for RHEL clients with only allowind
TLSv1.2? I will gladly compile from source or use the LTB Project rpms.
It seems your client systems don't actually support the TLSv1.2 ciphers.
You'll need to fix that by building against a crypto library which
actually supports them before you can try to require it.


Philip

--
Peter Boguszewski
Manager of Library Systems
UW Madison - Library Technology Group
pboguszewski@library.wisc.edu
608.262.4768