Our OpenLDAP Servers run version on EL6. OpenLDAP is built against the Mozilla Network Security Services (NSS) libraries. Our LDAP clients come from a wide variety of Unix & Linux systems.
We are unable to get OpenLDAP connections working for clients or replication when we use our preferred TLS ciphers.
For example, if we use Red Hat's Strongest available ciphers only list, such as this:
# /etc/openldap/slapd.conf
TLSProtocolMin 3.2
TLSCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL
Client connections fail, because they do not meet our ACL requirement for a minimum Security Strength Factor (SSF):
slapd[22887]: conn=1022 fd=20 ACCEPT from IP=192.168.100.101:35936 (IP=192.168.100.100:636)
slapd[22887]: conn=1022 fd=20 TLS established tls_ssf=128 ssf=128
...
slapd[22887]: <= check a_authz.sai_ssf: ACL 256 > OP 128
How can I see which cipher is being used for this connection so that I can eliminate it from the list?
If we disable the cipher list and use the defaults provided by OpenLDAP + NSS, it works:
# /etc/openldap/slapd.conf
TLSProtocolMin 3.2
# TLSCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL
slapd[6020]: conn=1003 fd=20 ACCEPT from IP=192.168.100.101:35936 (IP=192.168.100.100:636)
slapd[6020]: conn=1003 fd=20 TLS established tls_ssf=256 ssf=256
However, the default list is unacceptable because it includes some weak ciphers which our security team doesn't want, such as RC4-SHA & RC4-MD5 ciphers.
We are aware that EL6 is becoming EOL by the end of the year. That's a different problem.
Best Answer
I wasn't able to do this directly with
tcpdump
ortshark
on the node. What I had to do was to capturetcpdump
on the machine, transfer the data to my laptop and then run a modern version of Wireshark per https://security.stackexchange.com/questions/52150/identify-ssl-version-and-cipher-suiteAnother very helpful command was to use
nmap
's scripts to enumerate the ciphers:Those
AES_128
ciphers are causing my problem, and so I disabled them by adding it to the list of excluded ciphers: