rlm_ldap: Limit accepted TLS versions on LDAPS

classic Classic list List threaded Threaded
11 messages Options
| Threaded
Open this post in threaded view
|

rlm_ldap: Limit accepted TLS versions on LDAPS

Robert Hentsch-Jesse
Hello Freeradius Users,

I'm using freeradius with the rlm_ldap module to request users from a OpenLDAP server using the LDAPS protocol.
Is there any best practice how to limit the accepted TLS versions to 1.2 and 1.3 on the LDAPS connection? SSL and TLS <= 1.1 should be denied.
I found a "tls_min_version" option for the rlm_eap module, but not for rlm_ldap.
Are there other possibilities than stripping down the used libssl?

Thank you in advance and best regards,

Robert Hentsch-Jesse


.......................................................................................
PHOENIX CONTACT Cyber Security GmbH
Richard-Willstätter-Straße 6, 12489 Berlin, Germany
Register Court: AG Charlottenburg, HR B 202908
Geschäftsführer/General Manager: Kilian Golm
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: rlm_ldap: Limit accepted TLS versions on LDAPS

Sven Hartge-5
On 07.12.20 14:38, Robert Hentsch-Jesse wrote:

> I'm using freeradius with the rlm_ldap module to request users from a OpenLDAP server using the LDAPS protocol.
> Is there any best practice how to limit the accepted TLS versions to 1.2 and 1.3 on the LDAPS connection? SSL and TLS <= 1.1 should be denied.
> I found a "tls_min_version" option for the rlm_eap module, but not for rlm_ldap.
> Are there other possibilities than stripping down the used libssl?

libssl for can also be configured via /etc/ssl/openssl.cnf.

You can us it  to limit the acceptable chiphers and TLS versions and
many other configuration settings.

Grüße,
Sven.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: rlm_ldap: Limit accepted TLS versions on LDAPS

Robert Hentsch-Jesse
In reply to this post by Robert Hentsch-Jesse
Thank you for this recommendation!

Unfortunately freeradius seems to ignore the settings from within /etc/ssl/openssl.cnf for its LDAPS connections. The tool is still negotiating the connection with servers, which provide only TLS 1.1.
I added:

openssl_conf = default_conf

[ default_conf ]
ssl_conf = ssl_sect

[ ssl_sect ]
system_default = system_default_sect

[ system_default_sect ]
MinProtocol = TLSv1.2


Does freeradius always consider these settings or do I need to configure something in freeradius also?

Best regards, Robert Hentsch-Jesse


-----Ursprüngliche Nachricht-----
Von: Freeradius-Users <freeradius-users-bounces+rhentsch-jesse=[hidden email]> Im Auftrag von Sven Hartge
Gesendet: Montag, 7. Dezember 2020 14:49
An: [hidden email]
Betreff: Re: rlm_ldap: Limit accepted TLS versions on LDAPS

***External email! Do not click links or open attachments unless you recognize the sender and know the content is safe.***

On 07.12.20 14:38, Robert Hentsch-Jesse wrote:

> I'm using freeradius with the rlm_ldap module to request users from a OpenLDAP server using the LDAPS protocol.
> Is there any best practice how to limit the accepted TLS versions to 1.2 and 1.3 on the LDAPS connection? SSL and TLS <= 1.1 should be denied.
> I found a "tls_min_version" option for the rlm_eap module, but not for rlm_ldap.
> Are there other possibilities than stripping down the used libssl?

libssl for can also be configured via /etc/ssl/openssl.cnf.

You can us it  to limit the acceptable chiphers and TLS versions and many other configuration settings.

Grüße,
Sven.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


.......................................................................................
PHOENIX CONTACT Cyber Security GmbH
Richard-Willstätter-Straße 6, 12489 Berlin, Germany
Register Court: AG Charlottenburg, HR B 202908
Geschäftsführer/General Manager: Kilian Golm

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: rlm_ldap: Limit accepted TLS versions on LDAPS

Alan DeKok-2
On Dec 9, 2020, at 1:53 AM, Robert Hentsch-Jesse <[hidden email]> wrote:
> Unfortunately freeradius seems to ignore the settings from within /etc/ssl/openssl.cnf for its LDAPS connections.

  FreeRADIUS calls libldap, which in turn *may* call OpenSSL.  And OpenSSL *should* read /etc/ssl/openssl.cnf

  So we're stuck with the limitations of the libraries we call.  And the libldap API doesn't provide a way to say "require TLS 1.2"

> Does freeradius always consider these settings or do I need to configure something in freeradius also?

  See above.

  If you want to check if FreeRADIUS eventuality reads the file, use "strace", and look for where it calls "open" on /etc/ssl/openssl.cnf

  If that file isn't opened, there's still not much you can do to FreeRADIUS to fix it.  The problem is buried deep inside other libraries.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: rlm_ldap: Limit accepted TLS versions on LDAPS

Sven Hartge-5
In reply to this post by Robert Hentsch-Jesse
On 09.12.20 07:53, Robert Hentsch-Jesse wrote:

> Unfortunately freeradius seems to ignore the settings from within /etc/ssl/openssl.cnf for its LDAPS connections. The tool is still negotiating the connection with servers, which provide only TLS 1.1.

What SSL library is your libldap using? I assumed OpenSSL but depending
on the distribution it may be GnuTLS or NSS.

You can als try to set TLS_CIPHER_SUITE OR TLS_PROTOCOL_MIN via
/etc/ldap/ldap.conf.

Please read ldap.conf(5) and the documentation of the used SSL library
for valid values.

Grüße,
Sven.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: rlm_ldap: Limit accepted TLS versions on LDAPS

Users mailing list
In reply to this post by Alan DeKok-2
On 12/9/20 3:36 PM, Alan DeKok wrote:
> And the libldap API doesn't provide a way to say "require TLS 1.2"

How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)?

This is a single integer but I can't find how to calculate it from TLS
major.minor version. I suspect it's the 16-bit integer value (2 bytes
for major.minor) used at lower TLS protocol level. AFAICS TLSv1.2 would
be 0x0303 [1].

Better ask on openldap-technical mailing list to get an authorative
answer though.

Ciao, Michael.

[1] https://tools.ietf.org/html/rfc8446#section-4.1.2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: rlm_ldap: Limit accepted TLS versions on LDAPS

Alan DeKok-2
On Dec 9, 2020, at 10:48 AM, Michael Ströder via Freeradius-Users <[hidden email]> wrote:
>
> On 12/9/20 3:36 PM, Alan DeKok wrote:
>> And the libldap API doesn't provide a way to say "require TLS 1.2"
>
> How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)?

  Huh...  that's new.  I'll push some fixes.

> This is a single integer but I can't find how to calculate it from TLS
> major.minor version. I suspect it's the 16-bit integer value (2 bytes
> for major.minor) used at lower TLS protocol level. AFAICS TLSv1.2 would
> be 0x0303 [1].

  Yes.  It's all magical.  But that's the correct value.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: rlm_ldap: Limit accepted TLS versions on LDAPS

Alan DeKok-2
In reply to this post by Users mailing list


> On Dec 9, 2020, at 10:48 AM, Michael Ströder via Freeradius-Users <[hidden email]> wrote:
>
> On 12/9/20 3:36 PM, Alan DeKok wrote:
>> And the libldap API doesn't provide a way to say "require TLS 1.2"
>
> How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)?

  See commit e789729285e

  This should hopefully work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: rlm_ldap: Limit accepted TLS versions on LDAPS

Users mailing list
On 12/9/20 5:16 PM, Alan DeKok wrote:
>> On Dec 9, 2020, at 10:48 AM, Michael Ströder via Freeradius-Users <[hidden email]> wrote:
>>
>> On 12/9/20 3:36 PM, Alan DeKok wrote:
>>> And the libldap API doesn't provide a way to say "require TLS 1.2"
>>
>> How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)?
>   See commit e789729285e
>   This should hopefully work.

How about TLSv1.3?

You're using the integer constants from ldap.h which is fine up to
TLSv1.2. But there's no such constant for TLSv1.3 in ldap.h.

But OpenLDAP server already supports TLSv1.3:

openssl s_client -connect demo.ae-dir.com:636

I've submitted ITS#9422 [1] and we will see what OpenLDAP devs say.

Ciao, Michael.

[1] https://bugs.openldap.org/show_bug.cgi?id=9422
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: rlm_ldap: Limit accepted TLS versions on LDAPS

Alan DeKok-2
On Dec 9, 2020, at 12:24 PM, Michael Ströder via Freeradius-Users <[hidden email]> wrote:
> How about TLSv1.3?

  It should work.

> You're using the integer constants from ldap.h which is fine up to
> TLSv1.2. But there's no such constant for TLSv1.3 in ldap.h.

  Yeah.  I suspect even if we added it, libldap would complain.

> But OpenLDAP server already supports TLSv1.3:
>
> openssl s_client -connect demo.ae-dir.com:636
>
> I've submitted ITS#9422 [1] and we will see what OpenLDAP devs say.

  Thanks.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

AW: rlm_ldap: Limit accepted TLS versions on LDAPS

Robert Hentsch-Jesse
In reply to this post by Alan DeKok-2
Thanks for the quick solution!
It fixed the problem for me.

Best regards,

Robert Hentsch-Jesse


-----Ursprüngliche Nachricht-----
Von: Freeradius-Users <freeradius-users-bounces+rhentsch-jesse=[hidden email]> Im Auftrag von Alan DeKok
Gesendet: Mittwoch, 9. Dezember 2020 17:16
An: freeradius users mailing list <[hidden email]>
Betreff: Re: rlm_ldap: Limit accepted TLS versions on LDAPS

***External email! Do not click links or open attachments unless you recognize the sender and know the content is safe.***

> On Dec 9, 2020, at 10:48 AM, Michael Ströder via Freeradius-Users <[hidden email]> wrote:
>
> On 12/9/20 3:36 PM, Alan DeKok wrote:
>> And the libldap API doesn't provide a way to say "require TLS 1.2"
>
> How about using LDAP_OPT_X_TLS_PROTOCOL_MIN described in ldap_set_option(3)?

  See commit e789729285e

  This should hopefully work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


.......................................................................................
PHOENIX CONTACT Cyber Security GmbH
Richard-Willstätter-Straße 6, 12489 Berlin, Germany
Register Court: AG Charlottenburg, HR B 202908
Geschäftsführer/General Manager: Kilian Golm

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html