Myatu’s
Published in

Myatu’s

Quick Note: Disable SSLv3 in OpenLDAP with GnuTLS

GnuTLS Logo by Claus Schrammel

Due to the SSL POODLE vulnerability, it is best to remove support for the outdated SSLv3 protocol. As OpenLDAP with GnuTLS is a beast of its own, here’s the quick change to remove SSLv3 support:

cat > nossl.ldif <<EOF
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: SECURE256:-VERS-SSL3.0
EOFldapmodify -Y EXTERNAL -H ldapi:/// -f nossl.ldif

And we’re done! Obviously, if you already have olcTLSCipgerSuite, then use “replace” instead of “add”.

A quick test:

~# gnutls-cli-debug -p 636 127.0.0.1
Resolving '127.0.0.1'...
Connecting to '127.0.0.1:636'...
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
Checking fallback from TLS 1.1 to... N/A
Checking for TLS 1.2 support... yes

--

--

--

Myatu’s Tech Blog, from the site that has been wasting bits and bytes daily, since 2008.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mike Green

Mike Green

I keep servers happy, and they keep me happy.

More from Medium

Server Hardening with OpenSCAP

content of /usr/share/xml/scap/ssg/content/ directory

How to restart Wacom driver without restarting computer on Linux

Cron on UNIX / Linux

Performing Linux Quickly and Easily! :)