Colin Bitterfield's picture

Yes, I know its deprecated.

I am finding the LDAPModify for changing parameters the most difficult ever.

I have a client that can only support SSLv3. Can someone give me a one-liner to enable SSLv3 on the server?

 

There is absolutely nothing in the manual regarding this. 

Forum: 
Jeremy Davis's picture

TBH, I'm not 100% sure it's possible as it may require some compile time options to OpenLDAP to support older SSL (i.e. pre TLSv1.0). Although, I suspect that it should still be possible.

Assuming that it is still possible, you'll need to generate (or use) a certificate which supports SSLv3 (IIRC by default certificates generated on TurnKey set TLSv1.1 as minimum). If you are using self signed certs generated by TurnKey, then that will require you to generate a new cert. By default, we use 'certtool'. See the default TurnKey OpenLDAP firstboot script which generates the default certificates on initial boot. You may also find the certtool man page useful.

I'm pretty sure that you'll also need to ensure that SSLv3 is enabled within OpenLDAP itself. Unfortunately I'm not 100% sure how to do that, but I did find how to disable it. FWIW here's the page I found, (specific bit is under the heading "Disable SSLv3"). Although I note that it's for Debian 8/Wheezy - the previous Debian version so I'm not 100% sure that it's relevant to TurnKey v15.x (based on Debian 9/Stretch). My guess is that you could adjust that instruction to enable SSLv3. Perhaps something like this(?):

cat > ./sslv3.ldif 

Then hopefully this should work:,/p>

ldapmodify -Y EXTERNAL -H ldapi:/// -f ./sslv3.ldif

That page also shows how to use gnutls and/or nmap to check for the cyphers which LDAP supports. gnutls should already be installed, but I'm not sure about nmap. If the nmap command gives an error, then installing it (via 'apt-get install nmap') should do the trick. To reiterate the commands from that doc page:

gnutls-cli-debug -p 636 localhost | head

And/or

nmap -Pn -p T:636 --script ssl-enum-ciphers localhost

(As is likely obvious) you're looking for anything related to SSL 3.0 in the output of either/both of those.

I also note that SSL/TLS settings can be noted in the LDAP config file (/etc/etc/ldap/ldap.conf). Although I'm not sure if that's the way that it's done by default. FWIW here's the ldap.conf man page just in case.

Sorry that I can't be a bit more specific, but hopefully that heads you in the right direction...

Colin Bitterfield's picture

The gnutils rocks.

 

The LDIF file didn't work.

 

root@openldap /home/admin# cat > ./sslv3.ldif << EOF
> dn: cn=config
> add: olcTLSCipherSuite
> olcTLSCipherSuite: SECURE256:+VERS-SSL3.0
> EOF
root@openldap /home/admin# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./sslv3.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Inappropriate matching (18)
        additional info: modify/add: olcTLSCipherSuite: no equality matching rule

root@openldap /home/admin# gnutls-cli-debug -p 636 localhost | head
unknown protocol 'ldaps'
GnuTLS debug client 3.5.8
Checking localhost:636
                             for SSL 3.0 (RFC6101) support... no
                        whether we need to disable TLS 1.2... no
                        whether we need to disable TLS 1.1... no
                        whether we need to disable TLS 1.0... no
                        whether %NO_EXTENSIONS is required... no
                               whether %COMPAT is required... no
                             for TLS 1.0 (RFC2246) support... yes
                             for TLS 1.1 (RFC4346) support... yes
Jeremy Davis's picture

I hoped that might have worked, but TBH I'm not super surprised that it didn't... As I've probably already noted, I know very little about OpenLDAP (or LDAP in general), plus my SSL understanding is also quite limited (I know a bit more about TLS, but more about using it in context of web servers and "best practice" of making it secure, rather than allowing it to be more permissive...).

So backing up a bit (and not just stabbing in the dark); to make this work, you'll need a few things:

  1. Understanding of what cyphers and encryption levels/types your certificate supports, including ensuring that it supports SSLv3.0.
  2. Configuring OpenLDAP to support the relevant SSLv3.0 cyphers/encryption that your certificate provides.

The answer to question #1 should be available from the issuer of your certificate. If you are using this certificate elsewhere and it is definitely allowing SSLv3.0 then querying it with GnuTLS may give you the required info? That may be a bit tricky as most modern software automatically disables anything less than TLSv1.0 (browsers rarely support anything less than TLSv1.1 AFAIK).

I'm still unclear on exactly how to enable SSLv3.0 on OpenLDAP, although I suspect that once you're aware of the SSLv3.0 cyphers/encryption provided by your certificate, then it may be clearer. Although I think that you'll need advice from an OpenLDAP expert on exactly how to do that...

After lots of googling, an added complication that I've just been reading about is that the Debian OpenLDAP packages are compiled against GnuTLS' implementation of SLL/TLS rather than OpenSSL (FWIW it appears that was due to a licensing conflict between OpenLDAP and OpenSSL). OpenSSL is somewhat of an "industry standard" and is likely what your certificate has been generated with. In theory they should have plenty enough overlap to allow this to work, but as per always the devil is in the details...

TBH, I'm way out of my depth here... I think that this will need to be addressed by an OpenLDAP expert that understands how this works much better than me. I could continue stabbing in the dark, but I suspect that it will just waste more of both of our time...

FWIW, I've posted a message on the OpenLDAP "technical" mailing list and hopefully someone there might have some ideas...

Colin Bitterfield's picture

The certificate we are using is valid SSL/TLS from DigiCert

Colin Bitterfield's picture

We found a way to use start TLS on port 389. Doesn't make sense but I am sure its wrapped in a Java 11 issue.

Jeremy Davis's picture

FWIW the message I posted on the OpenLDAP mailing list got a couple of good looking suggestions. The first gives some good pointers and the second gives some confirmation and some additional info.

Regardless, it sounds like you're sorted. But if not, those messages are worth closer inspection.

Add new comment