Force TLS1.2 in openldap

Description

Per CVE-2014-3566 we need to disallow SSLv3 and TLS1.0. The latest version of TLS suites supplied by openssl1.0.1e is TLS1.2. Recent-ish updates to openldap-servers (shipped with SIMP-6) theoretically allow users to set a minimum TLS protocol version in slapd.conf, per https://access.redhat.com/solutions/1234843:

TLSProtocolMin 3.3
TLSCipherSuite +TLSv1.2:-TLSv1.0:-SSLv3:-SSLv2

I have tested and verified this solution works with openldap-servers-2.4.40-13.el7, distributed with 1611. I have NOT verified this solution in el6.

Once verified, we should puppetize a minimum bound based on the version of openldap-servers and re-define the cipher suite to eliminate TLS1.0, SSLv3.

Acceptance Criteria

None

Activity

Show:
Nicholas Markowski
July 28, 2017, 4:02 PM

Good news! SIMP-6.0.0-0/CentOS6.8 shipped with openldap-servers 2.4.40-12, which allows us to set a minimum TLS protocol and pin to TLS 1.2. Pressing forward with puppet changes.

Labels

None

Epic Link

None

Story Points

5

Components

Assignee

Nicholas Markowski

Sprint

None

Priority

Highest
Configure