Openldap disabling SSL Ciphers
I'm putting up an instance of OpenLdap for testing purposes. One of the first things I did after I installed the system was run a security scan on the system to see what obvious holes I needed to plug. One of them was that RC4 SSL ciphers were allowed in my instance. I have been searching for how to disable SSL ciphers in openldap (my version uses cn=config style configuration) and haven't found an answer yet. Can someone shed some light? I figured I'd post this here and see if anyone came up with anything while I continue to do research on it.
While we are on the subject, what is the preferred set of Ciphers that everyone is currently using? |
So I think I got a little closer. I know that I need to modify the olcTLSCipherSuite attribute. Here's what I have so far:
Code:
ldapmodify -D "cn=admin,dc=example,dc=com" -W -H ldapi:/// -f ./ciphers.ldif Code:
dn: cn=config Code:
modifying entry "cn=config" |
Quote:
Code:
ldapmodify -D "cn=admin,cn=config" -W -H ldapi:/// -f ./ciphers.ldif |
Thanks! This was a big help. I had to add the cn=admin,cn=config password but once I did that, I was able to get past the insufficent access issue.
I did run into another issue, however. Apparantly Openldap doesn't like the openssl style cipher names (I.E. HIGH:MEDIUM:!ADH:!MD5:!RC4). It only likes gnutls cipher names. Once i switched the olcTLSCipherSuite to gnutls cipher names, it worked. The only issue now is I have to find out a gnutls cipher list that excludes RC4 based ciphers. If I find it, I'll post it here. If anyone else knows off the top of their head, please let me know! Thanks again! |
Got it:
Code:
olcTLSCipherSuite: SECURE:-VERS-SSL3.0:-ARCFOUR-128 |
All times are GMT -5. The time now is 04:59 AM. |