author | zihao.zhu@oracle.com <zihao.zhu@oracle.com> |
Fri, 07 Aug 2015 15:29:52 -0700 | |
branch | s11u2-sru13-backport |
changeset 4756 | 9d8743313ecd |
parent 4705 | 19671f39ce55 |
child 5911 | a8d897c4c442 |
permissions | -rw-r--r-- |
4705
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
1 |
Fixes problem with setting the TLS client protocol version and ciphersuite |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
2 |
in the NSSWITCH LDAP library in Solaris. |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
3 |
Patch was developed in-house; it is Solaris specific and |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
4 |
will not be contributed upstream. |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
5 |
|
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
6 |
--- openldap-2.4.30/libraries/libldap/ldap.conf.old Mon Jun 1 16:46:56 2015 |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
7 |
+++ openldap-2.4.30/libraries/libldap/ldap.conf Mon Jun 1 16:47:08 2015 |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
8 |
@@ -9,5 +9,8 @@ |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
9 |
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
10 |
|
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
11 |
#SIZELIMIT 12 |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
12 |
#TIMELIMIT 15 |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
13 |
#DEREF never |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
14 |
+ |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
15 |
+TLS_PROTOCOL_MIN 3.2 |
4756
9d8743313ecd
21577683 Incorrect TLS_CIPHER_SUITE string value in ldap.conf and slapd.conf
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4705
diff
changeset
|
16 |
+TLS_CIPHER_SUITE TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA |
4705
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
17 |
--- openldap-2.4.30/servers/slapd/slapd.conf.old Mon Jun 1 16:47:47 2015 |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
18 |
+++ openldap-2.4.30/servers/slapd/slapd.conf Mon Jun 1 16:47:59 2015 |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
19 |
@@ -22,10 +22,12 @@ |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
20 |
# Sample security restrictions |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
21 |
# Require integrity protection (prevent hijacking) |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
22 |
# Require 112-bit (3DES or better) encryption for updates |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
23 |
# Require 63-bit encryption for simple bind |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
24 |
# security ssf=1 update_ssf=112 simple_bind=64 |
4756
9d8743313ecd
21577683 Incorrect TLS_CIPHER_SUITE string value in ldap.conf and slapd.conf
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4705
diff
changeset
|
25 |
+TLSProtocolMin 770 |
9d8743313ecd
21577683 Incorrect TLS_CIPHER_SUITE string value in ldap.conf and slapd.conf
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
4705
diff
changeset
|
26 |
+TLSCipherSuite TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA |
4705
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
27 |
|
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
28 |
# Sample access control policy: |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
29 |
# Root DSE: allow anyone to read it |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
30 |
# Subschema (sub)entry DSE: allow anyone to read it |
19671f39ce55
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap
zihao.zhu@oracle.com <zihao.zhu@oracle.com>
parents:
diff
changeset
|
31 |
# Other DSEs: |