Hello, I have configured OpenLDAP using SSL certificate, but I have a few issues.
Here the TLS configuration, especially "olcTLSProtocolMin: 3.3"
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 c70363a6 dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4 creatorsName: cn=config createTimestamp: 20221213065102Z olcPasswordCryptSaltFormat: $6$%.16s olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt olcTLSProtocolMin: 3.3 entryCSN: 20221214054517.926245Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20221214054517Z
But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ?
root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636 Version: 2.0.7 OpenSSL 1.1.1n 15 Mar 2022 Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4 Testing SSL server ldap.homebox.world on port 636 using SNI name ldap.homebox.world SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 enabled TLSv1.1 enabled TLSv1.2 enabled TLSv1.3 enabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Secure session renegotiation supported TLS Compression: OpenSSL version does not support compression Rebuild with zlib1g-dev package for zlib support Heartbleed: TLSv1.3 not vulnerable to heartbleed TLSv1.2 not vulnerable to heartbleed TLSv1.1 not vulnerable to heartbleed TLSv1.0 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-CCM Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-CCM Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 128 bits AES128-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 128 bits AES128-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 128 bits AES128-SHA Server Key Exchange Group(s): TLSv1.3 128 bits secp256r1 (NIST P-256) TLSv1.3 192 bits secp384r1 (NIST P-384) TLSv1.3 260 bits secp521r1 (NIST P-521) TLSv1.3 128 bits x25519 TLSv1.3 224 bits x448 TLSv1.3 112 bits ffdhe2048 TLSv1.3 128 bits ffdhe3072 TLSv1.3 150 bits ffdhe4096 TLSv1.3 175 bits ffdhe6144 TLSv1.3 192 bits ffdhe8192 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits x25519 TLSv1.2 224 bits x448 SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048 Subject: ldap.homebox.world Altnames: DNS:ldap.homebox.world Issuer: (STAGING) Artificial Apricot R3 Not valid before: Dec 13 05:34:29 2022 GMT Not valid after: Mar 13 05:34:28 2023 GMT
Thanks for your insights. Andre
