You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Thomas Elonn <to...@gmail.com> on 2017/03/26 13:43:45 UTC
[ApacheDS] Problem with limiting ciphers for ldaps
Hello everyone,
I am trying to improve security in ApacheDS by limiting accepted protocols
and ciphers for ldaps connection. To do that, I'm altering the
ads-transportid=ldaps.ldif file. Example:
dn: ads-transportid=ldaps,ou=transports,ads-serverId=
ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
ads-systemport: 10636
ads-transportenablessl: TRUE
ads-transportaddress: 0.0.0.0
ads-transportid: ldaps
objectclass: ads-transport
objectclass: ads-tcpTransport
objectClass: ads-base
objectclass: top
ads-enabled: TRUE
*ads-enabledProtocols: TLSv1.1ads-enabledProtocols: TLSv1.2*
*ads-wantClientAuth: true*
*ads-needClientAuth: false*
This code above successfully removes TLSv1.0 from being accepted. Here is
result from nmap:
$ nmap --script ssl-cert,ssl-enum-ciphers -p 10636 192.168.2.209
Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-25 19:52 CET
Nmap scan report for vm-ubuntu (192.168.2.209)
Host is up (0.00034s latency).
PORT STATE SERVICE
10636/tcp open unknown
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256k1) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 512) - C
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - E
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 1024) - E
| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - F
| TLS_DH_anon_WITH_AES_128_CBC_SHA - F
| TLS_DH_anon_WITH_DES_CBC_SHA - F
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256k1) - E
| TLS_ECDHE_RSA_WITH_NULL_SHA (secp256k1) - F
| TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - F
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
| TLS_ECDH_anon_WITH_NULL_SHA - F
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 512) - E
| TLS_RSA_WITH_DES_CBC_SHA (rsa 512) - E
| TLS_RSA_WITH_NULL_MD5 (rsa 512) - F
| TLS_RSA_WITH_NULL_SHA (rsa 512) - F
| compressors:
| NULL
| cipher preference: server
| warnings:
| Ciphersuite uses MD5 for message integrity
| Weak certificate signature: SHA1
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - E
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - C
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - C
| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - F
| TLS_DH_anon_WITH_AES_128_CBC_SHA - F
| TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
| TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256k1) - E
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256k1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256k1) - C
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256k1) - C
| TLS_ECDHE_RSA_WITH_NULL_SHA (secp256k1) - F
| TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - F
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
| TLS_ECDH_anon_WITH_NULL_SHA - F
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 512) - E
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 512) - C
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 512) - C
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 512) - C
| TLS_RSA_WITH_NULL_MD5 (rsa 512) - F
| TLS_RSA_WITH_NULL_SHA (rsa 512) - F
| TLS_RSA_WITH_NULL_SHA256 (rsa 512) - F
| compressors:
| NULL
| cipher preference: client
| warnings:
| Ciphersuite uses MD5 for message integrity
| Weak certificate signature: SHA1
|_ least strength: F
Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds
So, next step is limiting the ciphers. Lets say that I want only some
of above ciphers. I pick some and put them in the same .ldif file
(example):
ads-enabledCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ads-enabledCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ads-enabledCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
After restarting ApacheDS, result of the same nmap command is the same
as before. What am I doing wrong? Am I putting these parameter in
correct place? I know ads-enabledCiphers entries are being read
because when I put nonexisting cipher there, ADS wont accept any
connections.
Also, does ApacheDS use system-wide security providers (defined in
java.security) or has its own set defined somewhere?
Many thanks,
Tom