OpenLDAP SSL with GnuTLS
Today I finally found some time to tighten security on an internal LDAP setup only to find my usual procedure doesn't work. Apparently OpenLDAP has GnuTLS support since 2.4 and ofcourse Debian uses this. So here's a quick guide for setting up LDAPS with GnuTLS.
First I setup a private key and certificate request for the ldap service with openssl.
openssl req -out ldap.server.net.csr -new -newkey rsa:2048 -nodes -keyout server.key
This csr is served to the Certificate Autority which in turn returns a certificate.
To get some GnuTLS insight I install the gnutls-bin package. This allows me to find out which cipher suites are available.
gnutls-cli -l
Cipher suites:
TLS_ANON_DH_ARCFOUR_MD5 0x00, 0x18 SSL3.0
TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0
TLS_ANON_DH_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0
TLS_ANON_DH_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0
TLS_ANON_DH_CAMELLIA_128_CBC_SHA1 0x00, 0x46 TLS1.0
TLS_ANON_DH_CAMELLIA_256_CBC_SHA1 0x00, 0x89 TLS1.0
TLS_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8a TLS1.0
TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8b TLS1.0
TLS_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x8c TLS1.0
TLS_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x8d TLS1.0
TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8e TLS1.0
TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8f TLS1.0
TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x90 TLS1.0
TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x91 TLS1.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a TLS1.0
TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d TLS1.0
TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 TLS1.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c TLS1.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b TLS1.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f TLS1.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e TLS1.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 TLS1.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 TLS1.0
TLS_DHE_DSS_ARCFOUR_SHA1 0x00, 0x66 TLS1.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x00, 0x44 TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x00, 0x87 TLS1.0
TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x45 TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x88 TLS1.0
TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0
TLS_RSA_EXPORT_ARCFOUR_40_MD5 0x00, 0x03 SSL3.0
TLS_RSA_ARCFOUR_SHA1 0x00, 0x05 SSL3.0
TLS_RSA_ARCFOUR_MD5 0x00, 0x04 SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0
TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0
TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x41 TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x84 TLS1.0
Certificate types: X.509, OPENPGP
Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2
Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL
MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL
Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK
Compression: DEFLATE, NULL
To enable SSL in slapd you'll need to edit the slapd.conf file and add something like this. The TLSCipherSuite is one out of the list of the gnutls-cli -l command:
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1
TLSCACertificateFile /etc/ssl/certs/<yourca.pem>
TLSCertificateFile /etc/ssl/ldap.server.net.crt
TLSCertificateKeyFile /etc/ssl/private/server.key
I'm following the security setup which Debian provides so the openldap user cannot read the server.key file. I allow this by adding the openldap user to the ssl-cert group.
Finally edit the /etc/default/slapd and change the following line to what you need:
SLAPD_SERVICES="ldap:*0.0.0.0:389/ ldaps:*0.0.0.0:636"
This should be sufficient to get ldaps support.
Test it with:
openssl s_client -connect 127.0.0.1:636 -showcerts