Quick Note: Disable SSLv3 in OpenLDAP with GnuTLS

Mike Green
Oct 15, 2014 · 1 min read
GnuTLS Logo by Claus Schrammel

Due to the SSL POODLE vulnerability, it is best to remove support for the outdated SSLv3 protocol. As OpenLDAP with GnuTLS is a beast of its own, here’s the quick change to remove SSLv3 support:

cat > nossl.ldif <<EOF
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: SECURE256:-VERS-SSL3.0
EOFldapmodify -Y EXTERNAL -H ldapi:/// -f nossl.ldif

And we’re done! Obviously, if you already have olcTLSCipgerSuite, then use “replace” instead of “add”.

A quick test:

~# gnutls-cli-debug -p 636 127.0.0.1
Resolving '127.0.0.1'...
Connecting to '127.0.0.1:636'...
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
Checking fallback from TLS 1.1 to... N/A
Checking for TLS 1.2 support... yes

Myatu’s

Myatu’s Tech Blog, from the site that has been wasting bits and bytes daily, since 2008.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade