HI!
Does anybody here have experience with Mac OS X accessing OpenLDAP server regarding TLS
cipher suites?
OpenLDAP system:
- Debian Jessie
- OpenSSL 1.0.1t (openssl-1.0.1t-1+deb8u6)
- LTB packages openldap-ltb-2.4.44.1
Client is most recent Mac OS X.
In Æ-DIR the default is to only use PFS-secured ciphers:
TLSCipherSuite
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!ADH
But that does not work. Maybe I overlook something but to me it seems Mac OS X does not
send any PFS ciphers in its ClientHello (see wireshark dissect below).
How to enable PFS ciphers in Mac's libldap?
Ciao, Michael.
------------------------------ snip ------------------------------
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 98
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 94
Version: TLS 1.2 (0x0303)
Random
Session ID Length: 0
Cipher Suites Length: 14
Cipher Suites (7 suites)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 39
Extension: signature_algorithms
Extension: status_request
Extension: signed_certificate_timestamp
Extension: Extended Master Secret
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature