[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: How to configure OpenLDAP on Debian Stretch to support SSLv3.0
- To: Jeremy Davis <jeremy@turnkeylinux.org>
- Subject: Re: How to configure OpenLDAP on Debian Stretch to support SSLv3.0
- From: Ryan Tandy <ryan@nardis.ca>
- Date: Tue, 2 Jul 2019 09:57:10 -0700
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nardis.ca; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=2MZl61W2HpnPN/shs0O2wOl8lCYIHsyQ28OIJDg8VIE=; b=QGJW+AUetdeSrnu5NxMtbJ+kiDSF/3MzauaZHudA2UtQITWyd9h3IhthwYdLBbPL00 Kbr9YMpwL5KQeRkmGi37s+4tcmMTL+QymG5gqD1M3wcslw8VghuSRYx7pd0lgmmDG0XK 32ykrO/MhEpDRiY8qS6gK+7jRc36esbHp4x4k=
- In-reply-to: <C09DD13633EE0A367FD379C7@[192.168.1.39]>
- Mail-followup-to: Jeremy Davis <jeremy@turnkeylinux.org>, openldap-technical@openldap.org
- References: <f31b6f53-e4c9-4aff-048e-366b8714ebe6@turnkeylinux.org> <C09DD13633EE0A367FD379C7@[192.168.1.39]>
- User-agent: NeoMutt/20170113 (1.7.2)
On Tue, Jul 02, 2019 at 09:36:25AM -0700, Quanah Gibson-Mount wrote:
b) That the way to do this with GnuTLS is via the TLSCipherSuite
setting. The man page directs one to look at the gnutls-cli(1) man
page, in particular, the --priority setting.
If we pull up this man page (<https://linux.die.net/man/1/gnutls-cli>
for example), there are some examples provided there. Based on those
examples, it looks like perhaps something along the lines of:
"NONE:+VERS-SSL3.0" would enable *just* SSL3.0. I'd guess you could
set it to something like "NORMAL:+VERS-SSL3.0" or perhaps
"EXPORT:+VERS-SSL3.0"
NORMAL:+VERS-SSL3.0 sounds like the right idea. I'd avoid EXPORT unless
really, absolutely necessary. Depending on the specific client software
you may also have to enable some additional cipher suite(s).
I would also add that you can use gnutls-cli(1) to verify and test your
priority strings.
e.g.: gnutls-cli -l --priority 'NORMAL:+VERS-SSL3.0' will show you the
ciphers and other features enabled by that priority string, and inform
you if the string is not valid.