OpenLDAP: stronger confidentiality required

One of the security options that OpenLDAP offers is to not accept TLS connections below a certain grade. The OpenLDAP cn=config option is called ‘olcLocalSSF’. If you set it to 256 then any LDAP client will need to connect with a 256 bit ciphersuite or else the TLS connection will fail.

After an update of OpenLDAP to 2.4.40 on an up-to-date CentOS 6.5 box (which also had a recent OpenSSL update) the TLS connection between Postfix and OpenLDAP stopped working. The problem as reported by the client (a Postfix ldap lookup) was just:

Not very helpful so after increasing the olcLogLevel in OpenLDAP to 256 the following started to show up in the log:

Notice the “tls_ssf=128” and text “stronger confidentiality required”? It tells you that the client connects with a 128 bit ciphersuite which is clearly not enough as 256 bit is required. So the TLS connection fails.

The solution is to make the client use a 256 bit ciphersuite.

In ldap.conf or ldaprc add:

And if you use Postfix ldap_table lookups then add in your /etc/postfix/<ldap-table>.cf config file: