9 år sedan · c29a6308ce
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 
				 # Changelog
			
 
				 
			
 
				+## 1.1.4
			
 
				+- Remove environment variable LDAP_TLS_PROTOCOL_MIN as it takes no effect, see #69.
			
 
				+- Adjust default GnuTLS cipher string according to Red Hat's TLS hardening guide.
			
 
				+  This by default also restricts the TLS protocol version to 1.2. For reference,
			
 
				+  see #69.
			
 
				+
			
 
				 ## 1.1.3
			
 
				 Merge pull request :
			
 
				   - Use mdb over hdb #50
			
--- a/README.md
+++ b/README.md
@@ -253,8 +253,7 @@ TLS options:
 
				 - **LDAP_TLS_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
			
 
				 - **LDAP_TLS_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
			
 
				 - **LDAP_TLS_ENFORCE**: Enforce TLS. Defaults to `false`
			
 
				-- **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:-VERS-SSL3.0`
			
 
				-- **LDAP_TLS_PROTOCOL_MIN**: TLS min protocol. Defaults to `3.1`
			
 
				+- **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC`, based on Red Hat's [TLS hardening guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Hardening_TLS_Configuration.html)
			
 
				 - **LDAP_TLS_VERIFY_CLIENT**: TLS verify client. Defaults to `demand`
			
 
				 
			
 
				 	Help: http://www.openldap.org/doc/admin24/tls.html
			
--- a/example/extend-osixia-openldap/environment/my-env.yaml.startup
+++ b/example/extend-osixia-openldap/environment/my-env.yaml.startup
@@ -23,8 +23,7 @@ LDAP_TLS_KEY_FILENAME: cert.key
 
				 LDAP_TLS_CA_CRT_FILENAME: ca.crt
			
 
				 
			
 
				 LDAP_TLS_ENFORCE: false
			
 
				-LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
			
 
				-LDAP_TLS_PROTOCOL_MIN: 3.1
			
 
				+LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
			
 
				 LDAP_TLS_VERIFY_CLIENT: never
			
 
				 
			
 
				 # Replication
			
--- a/example/kubernetes/simple/ldap-rc.yaml
+++ b/example/kubernetes/simple/ldap-rc.yaml
@@ -56,9 +56,7 @@ spec:
 
				             - name: LDAP_TLS_ENFORCE
			
 
				               value: "false"
			
 
				             - name: LDAP_TLS_CIPHER_SUITE
			
 
				-              value: "SECURE256:-VERS-SSL3.0"
			
 
				-            - name: LDAP_TLS_PROTOCOL_MIN
			
 
				-              value: "3.1"
			
 
				+              value: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
			
 
				             - name: LDAP_TLS_VERIFY_CLIENT
			
 
				               value: "demand"
			
 
				             - name: LDAP_REPLICATION
			
--- a/example/kubernetes/using-secrets/environment/my-env.yaml.startup
+++ b/example/kubernetes/using-secrets/environment/my-env.yaml.startup
@@ -28,8 +28,7 @@ LDAP_TLS_KEY_FILENAME: ldap.key
 
				 LDAP_TLS_CA_CRT_FILENAME: ca.crt
			
 
				 
			
 
				 LDAP_TLS_ENFORCE: false
			
 
				-LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
			
 
				-LDAP_TLS_PROTOCOL_MIN: 3.1
			
 
				+LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
			
 
				 LDAP_TLS_VERIFY_CLIENT: demand
			
 
				 
			
 
				 # Replication
			
--- a/image/environment/default.yaml.startup
+++ b/image/environment/default.yaml.startup
@@ -28,8 +28,7 @@ LDAP_TLS_KEY_FILENAME: ldap.key
 
				 LDAP_TLS_CA_CRT_FILENAME: ca.crt
			
 
				 
			
 
				 LDAP_TLS_ENFORCE: false
			
 
				-LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
			
 
				-LDAP_TLS_PROTOCOL_MIN: 3.1
			
 
				+LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
			
 
				 LDAP_TLS_VERIFY_CLIENT: demand
			
 
				 
			
 
				 # Replication
			
--- a/image/service/slapd/assets/config/tls/tls-enable.ldif
+++ b/image/service/slapd/assets/config/tls/tls-enable.ldif
@@ -3,9 +3,6 @@ changetype: modify
 
				 replace: olcTLSCipherSuite
			
 
				 olcTLSCipherSuite: {{ LDAP_TLS_CIPHER_SUITE }}
			
 
				 -
			
 
				-replace: olcTLSProtocolMin
			
 
				-olcTLSProtocolMin: {{ LDAP_TLS_PROTOCOL_MIN }}
			
 
				--
			
 
				 replace: olcTLSCACertificateFile
			
 
				 olcTLSCACertificateFile: {{ LDAP_TLS_CA_CRT_PATH }}
			
 
				 -
			
--- a/image/service/slapd/startup.sh
+++ b/image/service/slapd/startup.sh
@@ -244,7 +244,6 @@ EOF
 
				     sed -i "s|{{ LDAP_TLS_DH_PARAM_PATH }}|${LDAP_TLS_DH_PARAM_PATH}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
			
 
				 
			
 
				     sed -i "s|{{ LDAP_TLS_CIPHER_SUITE }}|${LDAP_TLS_CIPHER_SUITE}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
			
 
				-    sed -i "s|{{ LDAP_TLS_PROTOCOL_MIN }}|${LDAP_TLS_PROTOCOL_MIN}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
			
 
				     sed -i "s|{{ LDAP_TLS_VERIFY_CLIENT }}|${LDAP_TLS_VERIFY_CLIENT}|g" ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif
			
 
				 
			
 
				     ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f ${CONTAINER_SERVICE_DIR}/slapd/assets/config/tls/tls-enable.ldif 2>&1 | log-helper debug