Re: Issues enabling SSL/TLS for config DS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 06/17/2017 08:33 AM, dave_horton2001@xxxxxxxxxxx wrote:
> I figured out the issue here so updating for anyone else who may suffer this problem.
>
> It appears that when things are locked down to prevent use of SSLv3, if you want to use SSL with the Config DS from the admin server, you also need to specify the min/max SSL/TLS version in adm.conf.
>
> I added the following to adm.conf and it sprang to life.
>
> sslVersionMin: TLS1.0
> sslVersionMax: TLS1.2
>
> I had added as much debug as I could but still couldn't find out what was going on, so I got the source for 389, nss and openldap and pored through it.  I built a debug version of the admin server and deployed that.  Trying the config DS with SSL then showed this in the log.
>
> util_ldap_init: Success: set up conn to [ldap.1ga.home:636] using TLS/SSL
> util_ldap_bind: attempting SIMPLE bind with id [] creds []
> util_ldap_bind: Error: could not send bind request for id [] mech [SIMPLE]: error -1 (Can't contact LDAP server) -12168 (SSL version range is not valid.) 2 (No such file or directory)
>
> Searching for "SSL version range is not valid" in the source I figured out that the NSS was rejecting the admin server's attempt to bind over SSL/TLS due to a mismatch in expected versions and that it was trying to pull a range from the adm.conf file.
>
> It's mentioned in http://www.port389.org/docs/389ds/howto/howto-disable-sslv3.html to add the sslVersionMin/Max parameters to the console preferences file but it doesn't mention anything about adding them to adm.conf.  
I'll get that fixed in both docs.
> Similarly, in http://directory.fedoraproject.org/docs/389ds/administration/adminserver.html it doesn't mention these parameters.  Could be worth an update to the documentation.
Will do.
>
> As a follow up question, I've read that ldap:389/STARTTLS is preferred over ldaps.  Is it possible to configure the DS to listen on 389 but reject any requests that don't perform a STARTTLS after the initial connect?  I've not seen anything anywhere that indicates this is possible, only that you can disable port 389 entirely.
You can require secure connections (LDAPS or StartTLS) under cn=config:

nsslapd-require-secure-binds: on


This is discussed in the Admin the guide:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/configuring-special-binds#requiring-secure-binds

And on the wiki:

http://www.port389.org/docs/389ds/howto/howto-require-secure-binds.html

Regards,
Mark


> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux