[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Locking down ciphers in OpenLDAP with GnuTLS
- To: Philip Colmer <philip.colmer@linaro.org>
- Subject: Re: Locking down ciphers in OpenLDAP with GnuTLS
- From: Ryan Tandy <ryan@nardis.ca>
- Date: Thu, 7 Feb 2019 09:06:46 -0800
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nardis.ca; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=+7wb8dqrZKDm0qNPkNeGktzBQjTFpJIn4HqzeCUdtjE=; b=ZnhNucniut9y01XKghGZFqAgeiSeWwkcqq5bWwUK5ufFM4C7eX3lrKs02R5fz2GtDW BqHD0PShH+j9dXclBihvgWSmR3WDqd7NuPvhQ6hbxmxoperqmstGrC31Q2nOddrQ4oKP cCThE4NBj2CDpyLCQ88jpCTMAVfEnftONiOJc=
- In-reply-to: <CAKTSSTiG3sVOnUe=tXCXCvYnvVpp4kdX3LLnbndJX-q3xt-HmQ@mail.gmail.com>
- Mail-followup-to: Philip Colmer <philip.colmer@linaro.org>, openldap-technical@openldap.org
- References: <CAKTSSTiG3sVOnUe=tXCXCvYnvVpp4kdX3LLnbndJX-q3xt-HmQ@mail.gmail.com>
- User-agent: NeoMutt/20170113 (1.7.2)
On Thu, Feb 07, 2019 at 04:50:58PM +0000, Philip Colmer wrote:
So, just to confirm, do I need to provide a colon-separated list of each
and every cipher suite or is there a GnuTLS shorthand that I can use?
See https://gnutls.org/manual/html_node/Priority-Strings.html for a list
of keywords.
I think you are likely looking for something like (completely untested):
NORMAL:-VERS-ALL:+VERS-TLS1.2
For debugging priority strings and checking what they enable, you can
use gnutls-cli:
gnutls-cli --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -l
For example I noticed this way that mine doesn't understand
"VERS-TLS1.3" yet.
I'll mention as well since this came up in IRC recently - if you have
Ubuntu 14.04 systems in your network still, be aware that its gnutls
package has trouble with TLS1.2: https://bugs.launchpad.net/bugs/1444656
Hope this helps,
Ryan