author | Mike Sullivan <Mike.Sullivan@Oracle.COM> |
Thu, 26 Jan 2017 16:44:14 -0800 | |
changeset 7617 | 14b1a4293086 |
parent 5911 | a8d897c4c442 |
permissions | -rw-r--r-- |
4654
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
1 |
Fixes problem with setting the TLS client protocol version and ciphersuite |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
2 |
in the NSSWITCH LDAP library in Solaris. |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
3 |
Patch was developed in-house; it is Solaris specific and |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
4 |
will not be contributed upstream. |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
5 |
|
5911
a8d897c4c442
PSARC/2016/225 OpenLDAP Update to 2.4.44
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4748
diff
changeset
|
6 |
--- openldap-2.4.44/libraries/libldap/ldap.conf.old Thu Nov 5 10:11:14 2015 |
a8d897c4c442
PSARC/2016/225 OpenLDAP Update to 2.4.44
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4748
diff
changeset
|
7 |
+++ openldap-2.4.44/libraries/libldap/ldap.conf Thu Nov 5 10:16:44 2015 |
4654
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
8 |
@@ -9,5 +9,8 @@ |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
9 |
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
10 |
|
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
11 |
#SIZELIMIT 12 |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
12 |
#TIMELIMIT 15 |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
13 |
#DEREF never |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
14 |
+ |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
15 |
+TLS_PROTOCOL_MIN 3.2 |
4748
976281af43d9
21577683 Incorrect TLS_CIPHER_SUITE string value in ldap.conf and slapd.conf
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4654
diff
changeset
|
16 |
+TLS_CIPHER_SUITE TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA |
5911
a8d897c4c442
PSARC/2016/225 OpenLDAP Update to 2.4.44
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4748
diff
changeset
|
17 |
--- openldap-2.4.44/servers/slapd/slapd.conf.old Thu Nov 5 10:11:25 2015 |
a8d897c4c442
PSARC/2016/225 OpenLDAP Update to 2.4.44
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4748
diff
changeset
|
18 |
+++ openldap-2.4.44/servers/slapd/slapd.conf Thu Nov 5 10:16:24 2015 |
a8d897c4c442
PSARC/2016/225 OpenLDAP Update to 2.4.44
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4748
diff
changeset
|
19 |
@@ -23,6 +23,8 @@ |
4654
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
20 |
# Require 112-bit (3DES or better) encryption for updates |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
21 |
# Require 63-bit encryption for simple bind |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
22 |
# security ssf=1 update_ssf=112 simple_bind=64 |
5911
a8d897c4c442
PSARC/2016/225 OpenLDAP Update to 2.4.44
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4748
diff
changeset
|
23 |
+TLSProtocolMin 3.2 |
4748
976281af43d9
21577683 Incorrect TLS_CIPHER_SUITE string value in ldap.conf and slapd.conf
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4654
diff
changeset
|
24 |
+TLSCipherSuite TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA |
4654
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
25 |
|
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
26 |
# Sample access control policy: |
94e90d50dc0e
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
27 |
# Root DSE: allow anyone to read it |