Skip to content

Commit

Permalink
Adjust LDAP_TLS_CIPHER_SUITE to Red Hat's TLS hardening guide
Browse files Browse the repository at this point in the history
  • Loading branch information
@jgehrcke
jgehrcke committed Jul 20, 2016
1 parent c7cdcbb commit 9965458
Show file tree
Hide file tree
Showing 6 changed files with 9 additions and 7 deletions.
6 changes: 4 additions & 2 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
# Changelog

## 1.1.4
Remove TLS environment variable LDAP_TLS_PROTOCOL_MIN, see #69

- Remove environment variable LDAP_TLS_PROTOCOL_MIN as it takes no effect, see #69.
- Adjust default GnuTLS cipher string according to Red Hat's TLS hardening guide.
This by default also restricts the TLS protocol version to 1.2. For reference,
see #69.

## 1.1.3
Merge pull request :
Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,7 +253,7 @@ TLS options:
- **LDAP_TLS_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
- **LDAP_TLS_CA_CRT_FILENAME**: Ldap ssl CA certificate filename. Defaults to `ca.crt`
- **LDAP_TLS_ENFORCE**: Enforce TLS. Defaults to `false`
- **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:-VERS-SSL3.0`
- **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC`, based on Red Hat's [TLS hardening guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Hardening_TLS_Configuration.html)
- **LDAP_TLS_VERIFY_CLIENT**: TLS verify client. Defaults to `demand`

Help: http://www.openldap.org/doc/admin24/tls.html
Expand Down
2 changes: 1 addition & 1 deletion example/extend-osixia-openldap/environment/my-env.yaml.startup
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ LDAP_TLS_KEY_FILENAME: cert.key
LDAP_TLS_CA_CRT_FILENAME: ca.crt

LDAP_TLS_ENFORCE: false
LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
LDAP_TLS_VERIFY_CLIENT: never

# Replication
Expand Down
2 changes: 1 addition & 1 deletion example/kubernetes/simple/ldap-rc.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ spec:
- name: LDAP_TLS_ENFORCE
value: "false"
- name: LDAP_TLS_CIPHER_SUITE
value: "SECURE256:-VERS-SSL3.0"
value: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
- name: LDAP_TLS_VERIFY_CLIENT
value: "demand"
- name: LDAP_REPLICATION
Expand Down
2 changes: 1 addition & 1 deletion example/kubernetes/using-secrets/environment/my-env.yaml.startup
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ LDAP_TLS_KEY_FILENAME: cert.key
LDAP_TLS_CA_CRT_FILENAME: ca.crt

LDAP_TLS_ENFORCE: false
LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
LDAP_TLS_VERIFY_CLIENT: never

# Replication
Expand Down
2 changes: 1 addition & 1 deletion image/environment/default.yaml.startup
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ LDAP_TLS_KEY_FILENAME: ldap.key
LDAP_TLS_CA_CRT_FILENAME: ca.crt

LDAP_TLS_ENFORCE: false
LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
LDAP_TLS_VERIFY_CLIENT: demand

# Replication
Expand Down

0 comments on commit 9965458

Please sign in to comment.