1 Fixes problem with setting the TLS client protocol version and ciphersuite |
1 Fixes problem with setting the TLS client protocol version and ciphersuite |
2 in the NSSWITCH LDAP library in Solaris. |
2 in the NSSWITCH LDAP library in Solaris. |
3 Patch was developed in-house; it is Solaris specific and |
3 Patch was developed in-house; it is Solaris specific and |
4 will not be contributed upstream. |
4 will not be contributed upstream. |
5 |
5 |
6 --- openldap-2.4.30/libraries/libldap/ldap.conf.old Mon Jun 1 16:46:56 2015 |
6 --- openldap-2.4.44/libraries/libldap/ldap.conf.old Thu Nov 5 10:11:14 2015 |
7 +++ openldap-2.4.30/libraries/libldap/ldap.conf Mon Jun 1 16:47:08 2015 |
7 +++ openldap-2.4.44/libraries/libldap/ldap.conf Thu Nov 5 10:16:44 2015 |
8 @@ -9,5 +9,8 @@ |
8 @@ -9,5 +9,8 @@ |
9 #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 |
9 #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 |
10 |
10 |
11 #SIZELIMIT 12 |
11 #SIZELIMIT 12 |
12 #TIMELIMIT 15 |
12 #TIMELIMIT 15 |
13 #DEREF never |
13 #DEREF never |
14 + |
14 + |
15 +TLS_PROTOCOL_MIN 3.2 |
15 +TLS_PROTOCOL_MIN 3.2 |
16 +TLS_CIPHER_SUITE TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA |
16 +TLS_CIPHER_SUITE TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA |
17 --- openldap-2.4.30/servers/slapd/slapd.conf.old Mon Jun 1 16:47:47 2015 |
17 --- openldap-2.4.44/servers/slapd/slapd.conf.old Thu Nov 5 10:11:25 2015 |
18 +++ openldap-2.4.30/servers/slapd/slapd.conf Mon Jun 1 16:47:59 2015 |
18 +++ openldap-2.4.44/servers/slapd/slapd.conf Thu Nov 5 10:16:24 2015 |
19 @@ -22,10 +22,12 @@ |
19 @@ -23,6 +23,8 @@ |
20 # Sample security restrictions |
|
21 # Require integrity protection (prevent hijacking) |
|
22 # Require 112-bit (3DES or better) encryption for updates |
20 # Require 112-bit (3DES or better) encryption for updates |
23 # Require 63-bit encryption for simple bind |
21 # Require 63-bit encryption for simple bind |
24 # security ssf=1 update_ssf=112 simple_bind=64 |
22 # security ssf=1 update_ssf=112 simple_bind=64 |
25 +TLSProtocolMin 770 |
23 +TLSProtocolMin 3.2 |
26 +TLSCipherSuite TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA |
24 +TLSCipherSuite TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA |
27 |
25 |
28 # Sample access control policy: |
26 # Sample access control policy: |
29 # Root DSE: allow anyone to read it |
27 # Root DSE: allow anyone to read it |
30 # Subschema (sub)entry DSE: allow anyone to read it |
|
31 # Other DSEs: |
|