[Date Prev][Date Next] [Chronological] [Thread] [Top]

enforce TLS 1.2 in OpenLDAP server side

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: enforce TLS 1.2 in OpenLDAP server side
From: Steve Zeng <steve.zeng@booking.com>
Date: Fri, 9 Sep 2016 17:18:19 +0000
Accept-language: en-US
Content-id: <95E1645A3BB91A4EB030B0FAD937AC12@exchange.booking.com>
Content-language: en-US
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=booking.com ; s=bk; h=MIME-Version:Content-Transfer-Encoding:Content-ID:Content-Type: Message-ID:Date:Subject:To:From; bh=FV4L00K9HmvJDmlXhAXGEbL4BGyczX65l9Z3sB5HeTY=; b=RDHHIrCRtcj5qDwFDNeLafp8pv CAEb2tD4jMl09xdLyjK896DoavLmorH6TEIMYIfEY29r3nyRt7/vQoKAzrjRYSqWL+010YywW4xiI W+hKWI4wQaJeQXpqOw8ckP/8b2LmHX7Ur8l1UuIbwfhRN13mQCMn3nU6rhttRuSzfE+g=;
Thread-index: AQHSCr4p4MvAukiipEe0Ct1yqNOPbQ==
Thread-topic: enforce TLS 1.2 in OpenLDAP server side

Hi, all

What is the best settings to enforce TLS 1.2 in OpenLDAP server side (openldap-2.4.44-1.el6)?

I make the change below:

From: 
olcTLSProtocolMin: 0.0

To:
olcTLSProtocolMin: 3.3

However, TLS1.0 still shows up in a lot of tcpdump packets:

Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 70
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 66
            Version: TLS 1.0 (0x0301)
            Random
            Session ID Length: 0
            Cipher Suites Length: 20
            Cipher Suites (10 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 5
            Extension: renegotiation_info

Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 1704
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 77
            Version: TLS 1.0 (0x0301)
            Random
            Session ID Length: 32
            Session ID: 39c37acec27b5f497c3bf4a4c694c4a9cc03ed6371e0fee0...
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Compression Method: null (0)
            Extensions Length: 5
            Extension: renegotiation_info
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 1499
            Certificates Length: 1496
            Certificates (1496 bytes)
        Handshake Protocol: Certificate Request
            Handshake Type: Certificate Request (13)
            Length: 112
            Certificate types count: 3
            Certificate types (3 types)
            Distinguished Names Length: 106
            Distinguished Names (106 bytes)
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0


Thanks,
Steve

Follow-Ups:
- Re: enforce TLS 1.2 in OpenLDAP server side
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: [Q] "selective" ACL
Next by Date: Re: enforce TLS 1.2 in OpenLDAP server side
Index(es):
- Chronological
- Thread