> On 22 Apr 2021, at 03:52, Trevor Vaughan <email@example.com> wrote:
> Hi All,
> OS Version: CentOS 8
> 389-DS Version: 126.96.36.199 from EPEL
> I have a server set up with minssf=256 and have been surprised that either 389-DS, or openssl, does not appear to be doing what I would consider a logical TLS negotiation.
> I had thought that the system would start with the strongest cipher and then negotiate down to something that was acceptable.
> Instead, I'm finding that I have to nail up the ciphers to something that the 389-DS server both recognizes and is within the expected SSF.
> Is this expected behavior or do I have something configured incorrectly?
That's not what minssf does.
minssf says "during a bind operation, reject if the encryption strength used is less than 256 bits or equivalent".
The "bit strength" is arbitrary though, because it's a concept from sasl, and generally is very broken.
Remember, minssf does NOT do what you think though! Because bind is the *first* message on the wire, the series of operations is
open plain text conn ->
<- accept connection
send bind on conn ->
<- reject due to minsff too weak.
So you have already leaked the password!
The only way to ensure this does not occur is to set "nsslapd-port: 0" which disables plaintext. Then you *only* use ldaps on port 636, which is guarantee encrypted from the start.
It is worth noting that the use of starttls over ldap, does *NOT* mitigate this issue, for a similar reason.
Caveat: If you are using kerberos/gssapi you can NOT disable plaintext ldap due to these protocols attempting to install their own encryption layers.
Hope that helps,
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 x788
> -- This account not approved for unencrypted proprietary information --
> 389-users mailing list -- firstname.lastname@example.org
> To unsubscribe send an email to email@example.com
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://firstname.lastname@example.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
389-users mailing list -- email@example.com
To unsubscribe send an email to firstname.lastname@example.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://email@example.com
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure