You are here
Colin Bitterfield - Sat, 2019/06/29 - 03:35
Yes, I know its deprecated.
I am finding the LDAPModify for changing parameters the most difficult ever.
I have a client that can only support SSLv3. Can someone give me a one-liner to enable SSLv3 on the server?
There is absolutely nothing in the manual regarding this.
Forum:
Tags:
I'm not 100% sure it's possible, but I have some hints to try
TBH, I'm not 100% sure it's possible as it may require some compile time options to OpenLDAP to support older SSL (i.e. pre TLSv1.0). Although, I suspect that it should still be possible.
Assuming that it is still possible, you'll need to generate (or use) a certificate which supports SSLv3 (IIRC by default certificates generated on TurnKey set TLSv1.1 as minimum). If you are using self signed certs generated by TurnKey, then that will require you to generate a new cert. By default, we use 'certtool'. See the default TurnKey OpenLDAP firstboot script which generates the default certificates on initial boot. You may also find the certtool man page useful.
I'm pretty sure that you'll also need to ensure that SSLv3 is enabled within OpenLDAP itself. Unfortunately I'm not 100% sure how to do that, but I did find how to disable it. FWIW here's the page I found, (specific bit is under the heading "Disable SSLv3"). Although I note that it's for Debian 8/Wheezy - the previous Debian version so I'm not 100% sure that it's relevant to TurnKey v15.x (based on Debian 9/Stretch). My guess is that you could adjust that instruction to enable SSLv3. Perhaps something like this(?):
LDIF didn't work
The gnutils rocks.
The LDIF file didn't work.
Stab in the dark failed, so backing up a little...
I hoped that might have worked, but TBH I'm not super surprised that it didn't... As I've probably already noted, I know very little about OpenLDAP (or LDAP in general), plus my SSL understanding is also quite limited (I know a bit more about TLS, but more about using it in context of web servers and "best practice" of making it secure, rather than allowing it to be more permissive...).
So backing up a bit (and not just stabbing in the dark); to make this work, you'll need a few things:
The answer to question #1 should be available from the issuer of your certificate. If you are using this certificate elsewhere and it is definitely allowing SSLv3.0 then querying it with GnuTLS may give you the required info? That may be a bit tricky as most modern software automatically disables anything less than TLSv1.0 (browsers rarely support anything less than TLSv1.1 AFAIK).
I'm still unclear on exactly how to enable SSLv3.0 on OpenLDAP, although I suspect that once you're aware of the SSLv3.0 cyphers/encryption provided by your certificate, then it may be clearer. Although I think that you'll need advice from an OpenLDAP expert on exactly how to do that...
After lots of googling, an added complication that I've just been reading about is that the Debian OpenLDAP packages are compiled against GnuTLS' implementation of SLL/TLS rather than OpenSSL (FWIW it appears that was due to a licensing conflict between OpenLDAP and OpenSSL). OpenSSL is somewhat of an "industry standard" and is likely what your certificate has been generated with. In theory they should have plenty enough overlap to allow this to work, but as per always the devil is in the details...
TBH, I'm way out of my depth here... I think that this will need to be addressed by an OpenLDAP expert that understands how this works much better than me. I could continue stabbing in the dark, but I suspect that it will just waste more of both of our time...
FWIW, I've posted a message on the OpenLDAP "technical" mailing list and hopefully someone there might have some ideas...
SSL/TLS Cert - It's a real one from DigiCert.
The certificate we are using is valid SSL/TLS from DigiCert
The requirement changed.
We found a way to use start TLS on port 389. Doesn't make sense but I am sure its wrapped in a Java 11 issue.
Oh ok, great!
FWIW the message I posted on the OpenLDAP mailing list got a couple of good looking suggestions. The first gives some good pointers and the second gives some confirmation and some additional info.
Regardless, it sounds like you're sorted. But if not, those messages are worth closer inspection.
Add new comment