> Le 23 févr. 2022 à 17:49, Quanah Gibson-Mount <qua...@fast-mail.org> a écrit :
> ication we need to drop the ssl version available on
>>>> our openldap server.
>>>>
>>>> Currently it supports TLSv1.2, checked with nmap --script
>>>> ssl-enum-ciphers -p 636 host
>>>>
>>>> What ever value I put on olcTLSProtocolmin the ssl version does not
>>>> change… I have tried 3.0 3.1 3.2…
>>>>
>>>> What do I miss ?
>>>> Or is it a feature ?
>>>
>>> What SSL library is your OpenLDAP linked to?
>>
>> From what I see in config.status
>> D["HAVE_OPENSSL_SSL_H"]=" 1"
>> D["HAVE_OPENSSL"]=" 1"
>>
>> ii libssl-dev:amd64 1.1.1f-1ubuntu2.9
>> amd64 Secure Sockets Layer toolkit - development files ii
>> libssl1.1:amd64 1.1.1f-1ubuntu2.9
>> amd64 Secure Sockets Layer toolkit - shared libraries
>
> Generally I'd look at the output of readelf or ldd on the slapd binary itself.
>
> I would note that as documented, olcTLSProtocolMin is N+1, so 3.2 would allow
> 1.1 or later. 3.2 would restrict it to TLS 1.2 or later. I'm not sure nmap
> is actually telling you all supported versions, just that 1.2 is allowed.
>
> I generally test using the openssl s_client command.
It works, I show you :
against 2.4.0 openldap server
nmap --script ssl-enum-ciphers -p 636 <oldldap>
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-23 17:59 CET
Nmap scan report for ldapd.dmzi.ipb.fr (10.220.18.53)
Host is up (0.00051s latency).
rDNS record for 10.220.18.53: ldap.dmzi.ipb.fr
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (secp256r1) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (secp256r1) of lower strength than certificate key
| TLSv1.2:
| ciphers:
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CCM (rsa 4096) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (secp256r1) of lower strength than certificate key
|_ least strength: C
As you see all the ssl version are listed.
And with the 2.6.0 openldap server.
nmap --script ssl-enum-ciphers -p 636 <newserver>
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-23 18:03 CET
Nmap scan report for ldapd2021.dmzi.ipb.fr (10.220.18.61)
Host is up (0.000043s latency).
rDNS record for 10.220.18.61: ldap.bordeaux-inp.fr
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
So as you see when the server accept all prtocols nmap does list all the
protocols.
But I have tested with openssl s_client and same result (but longer to get).
I add here the cn=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: slapd.conf
olcConfigDir: slapd.d
olcAllows: bind_v2
olcArgsFile: /usr/local/var/run/slapd/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /usr/local/var/run/slapd/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcServerID: 25 ldap://<ommited>
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSVerifyClient: never
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: c7dfcd66-fe72-103a-8d83-4d2d603596c4
creatorsName: cn=config
createTimestamp: 20210208160225Z
olcTLSCertificateKeyFile: /usr/local/etc/ssl/private/ldap.bordeaux-inp.fr-0001
/privkey.pem
olcTLSCertificateFile: /usr/local/etc/ssl/certs/ldap.bordeaux-inp.fr-0001/full
chain.pem
olcTLSProtocolMin: 3.0
olcLogLevel: none
entryCSN: 20220222083441.609985Z#000000#019#000000
modifiersName: cn=config
modifyTimestamp: 20220222083441Z
contextCSN: 20210308104755.920794Z#000000#00e#000000
contextCSN: 20211122120925.101869Z#000000#018#000000
contextCSN: 20220222083441.609985Z#000000#019#000000
So… it still does not work. What can I do ?
f.g.
—
Frédéric Goudal
Ingénieur Système, DSI Bordeaux-INP
+33 556 84 23 11
