Reputation: 151
How do i disable SSL V3/TLS 1.0 for OpenLDAP or how do i disable TLS 1.0 support on ldap port 636?
Tried the following as per this article, https://access.redhat.com/articles/1474813
Place tls.ldif config file with below config instructions in it:
dn: cn=config
changetype: modify
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.2
TLS 1.0 is still showing up as enabled for port 636. I need to enable support for tls 1.1 and higher. The above url provides solution for RHEL 7 but i am using RHEL 6, maybe that's a reason why this solution is not working for me.
Upvotes: 1
Views: 10345
Answers (1)
Reputation: 2494
This answer applies to Red Hat Identity Manager (and possibly also FreeIPA).
To set a minimum version of TLS for the Directory Server component, do the follwing:
Stop the dirsrv service:
systemctl stop [email protected]ensure that:
sslVersionMin: TLS1.2is set in the file/etc/dirsrv/slapd-YOURDOMAIN-COM/dse.ldifStart the dirsrv service again:
systemctl start [email protected]
To check the offered TLS versions you can use the ssl-enum-ciphers script for nmap like so:
nmap --script ssl-enum-ciphers -p636 localhost
The output should only show TLS versions higher than what you specified in the dse.ldif file:
$ nmap --script ssl-enum-ciphers -p636 localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-13 12:03 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
Keep in mind that this change needs to be done on all servers where the dirsrv service is running.
Upvotes: 1
Related Questions
- How to enforce the server to use only TLSv1.2?
- How to make OpenSSL C server only support TLS 1.3?
- How to disable TLS 1.0 on a single Virtual Host in LBL ADC (version without GUI)
- Disabling TLS 1.0 in Apache 2.4
- How to tell Python's ldap3 module to TLS version 1.2 explicitly?
- How to disable TLS 1.0 from JDK
- Prevent TLS version negotiation?
- Disable TLS1.0 and TLS 1.1
- How can I disable TLSv1 without change source code?
- Disable TLS 1.2 in Linux using any of the chrome /firefox