[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Redhat LDAP Client Issues when disabling SSLv3






From: mlstarling31@hotmail.com
To: fumiyas@osstech.jp; openldap-technical@openldap.org
Subject: RE: Redhat LDAP Client Issues when disabling SSLv3
Date: Thu, 23 Oct 2014 10:52:22 -0400

> Date: Thu, 23 Oct 2014 11:59:10 +0900
> From: fumiyas@osstech.jp
> To: openldap-technical@openldap.org
> Subject: Re: Redhat LDAP Client Issues when disabling SSLv3
>
> At Wed, 22 Oct 2014 16:54:24 -0500,
> Peter Boguszewski wrote:
> > Thanks for the quick response. I was also messing with the olcTLSProtocolMin settings and seeing similar issues (which are now verified by your answer). It appears as though RHEL 6.x does not support TLS1.1 nor TLS1.2 with the yum installed packages.
>
> OpenLDAP in RHEL 6.x is version 2.4.23 that has a bug, ITS#7645.
> (See http://www.openldap.org/its/index.cgi?findid=7645)
>
> You must set olcTLSProtocolMin to 769 instead of 3.1
> for OpenLDAP 2.4.35 and older.
>
> > > Cipher suites are not protocol versions. To configure slapd to only
> > > negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented
> > > in slapd-config(5).
>
> --
> -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp)
> -- Business Home: http://www.OSSTech.co.jp/
> -- GitHub Home: https://GitHub.com/fumiyas/
> -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA
>


>Thank you Satoh.

>I can confirm setting olcTLSProtocolMin 3.1 disabled SSLv3 in the RHEL openldap-2.4.39-8 package.

>However, setting olcTLSProtocolMin 769 on openldap-2.4.23-34.el6_5.1 still allows a successful SSlv3 handshake. Also, olcTLSProtocolMin is not even >documented in the slapd.conf man pages for this version.



I suspect I'm hitting the issue of  RHEL openldap being linked against moz_nss and not openssl, therefore olcTLSProtocolMin is ignored in this version.