OpenLDAP: stronger confidentiality required

One of the security options that OpenLDAP offers is to not accept TLS connections below a certain grade. The OpenLDAP cn=config option is called ‘olcLocalSSF’. If you set it to 256 then any LDAP client will need to connect with a 256 bit ciphersuite or else the TLS connection will fail.

After an update of OpenLDAP to 2.4.40 on an up-to-date CentOS 6.5 box (which also had a recent OpenSSL update) the TLS connection between Postfix and OpenLDAP stopped working. The problem as reported by the client (a Postfix ldap lookup) was just:

Not very helpful so after increasing the olcLogLevel in OpenLDAP to 256 the following started to show up in the log:

Notice the “tls_ssf=128” and text “stronger confidentiality required”? It tells you that the client connects with a 128 bit ciphersuite which is clearly not enough as 256 bit is required. So the TLS connection fails.

The solution is to make the client use a 256 bit ciphersuite.

In ldap.conf or ldaprc add:

And if you use Postfix ldap_table lookups then add in your /etc/postfix/<ldap-table>.cf config file:

Dovecot, self-signed certificates and unknown CA problem

Quick tip if you are trying to deploy Dovecot on RHEL6 or CentOS6 and get an error message about an ‘unknown CA’ like this:

The reason that this error occurs is that Dovecot can not verify a client certificate because it doesn’t know about the self-signed CA certificate because it can not find the self-signed CA certificate. It’s a puzzling error, especially when the CA certificate is present in the Dovecot config:

This happens because Dovecot can not find the CA certificate in the /etc/pki/dovecot/certs directory. Note the directory. The Dovecot RPM on EL6 comes pre-packaged with two directories: /etc/pki/dovecot/certs/ and /etc/pki/dovecot/private/. But if you put a self-signed CA certificate in /etc/pki/dovecot/certs/ Dovecot can not find it because it is looking elsewhere for the CA certificate.

The solution is to put the self-signed CA certificate in /etc/pki/tls/certs/.

How to make Firefox more secure with TLS 1.2

To increase the security of the SSL/TLS encrypted link setup by your Firefox browser enter “about:config” in the browser bar, press enter and change the following preferences:

Setting both to a value of 3 means that Firefox will only use TLS 1.2. This is currently the most secure. However TLS 1.2 may not be supported by every webserver behind the website you surf to. If you find that you can not setup a TLS 1.2 encrypted link to a website then you can try lowering the value for the security.tls.version.min preference to 2. The value 2 means that TLS 1.0 is supported as a minimum which is not as good as TLS 1.2 but better than SSLv3 (a value of 1).

If you really need to allow SSLv3 based links to a website then at least make sure that you disable security.ssl3.rsa_fips_des_ede3_sha:

It also makes sense to disable RC4 by setting the preferences below to false:

You can check how secure your SSL/TLS client is at How’s My SSL?

You can also install the CipherFox add-on in Firefox which displays the current SSL/TLS cipher and certificate chain in the Add-on bar and Site ID dialog.

Be safe out there!