docker-openldap
docker-openldap copied to clipboard
osixia
update TLSCipherSuite
https://github.com/osixia/docker-openldap/blob/master/image/environment/default.startup.yaml#L34
According to https://testssl.sh/ you may want to update your TLSCipherSuite default Setting.
At the moment you don't allow TLS 1.3, have no Cipher server order, are potentially VULNERABLE to LUCKY13 and use Obsoleted CBC ciphers (AES, ARIA etc.). however Overall Grade is still A+
i would recommend: TLSCipherSuite: SECURE256:SECURE192:SECURE128:-VERS-DTLS-ALL:-VERS-TLS-ALL:-SHA1:+VERS-TLS1.3:+VERS-TLS1.2:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
Detailed breakdown:
| key | discription |
|---|---|
| SECURE256:SECURE192:SECURE128 | prefer more secure Ciphers over older Ciphers |
| -VERS-DTLS-ALL and -VERS-TLS-ALL | disable All TLS Protocols |
| -SHA1 | disable SHA1 MACs |
| +VERS-TLS1.3 and +VERS-TLS1.2 | (re)enable only TLS1.2 and TLS1.3 |
| %SERVER_PRECEDENCE | force server cipher order |
| %SAFE_RENEGOTIATION | force Secure Renegotiation (RFC 5746) |
i only tested this with on debian10 slapd 2.4.47 and gnutls 3.6.7 so you may want to test this setting first.
If you are coming here to figure out how to configure openldap to only use TLS1.3, note that the string given above is for gnutils and not openssl; openldap can be configured to use either. So that string will not work for openssl. I am still searching for the "TLSv1.3 only" string for openssl...
