Habilitando o TLSv1.0 no OpenLDAP no CentOS7

2

Apesar de definir olcTLSProtocolMin: 3.1 , apenas o TLS1.2 está sendo apresentado pelo meu servidor CentOS7 OpenLDAP.

No momento, eu preciso do TLSv1.0 para suportar um aplicativo legado que ainda não pode ser substituído.

Como posso disponibilizar o TLSv1.0 no OpenLDAP sob o CentOS7?

$ ldapsearch -b cn=config cn=config  olcTLSCipherSuite olcTLSProtocolMin
dn: cn=config
olcTLSCipherSuite: HIGH:!3DES:!aNull:!MD5:@STRENGTH
olcTLSProtocolMin: 3.1

$ nmap -Pn --script ssl-enum-ciphers -p 636 ldap.example.com
Nmap scan report for ldap.example.com (198.51.100.1).
Host is up (0.00068s latency).
rDNS record for 198.51.100.1: ldap.example.com
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.73 seconds
    
por 84104 14.07.2017 / 20:38

1 resposta

0

De acordo com a Red Hat, este é um conhecido bug .

    
por 15.07.2017 / 00:05