Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7305

LDAP connector is not hardened in production mode

    Details

    • Type: Bug
    • Status: Done
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: security
    • Labels:

      Description

      Now that production mode is enabled by default, it should only allow TLSv1.2 and TLSv1.3 and only enabling certain cipher suites.

      It seems ok for LDAPS/Admin connector:

      Administration Connector:
      
      10)  ssl-cipher-suite                   
       
      TLS_AES_128_GCM_SHA256,
      TLS_AES_256_GCM_SHA384,
      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
      TLS_EMPTY_RENEGOTIATION_INFO_SCSV
      
      11)  ssl-protocol                        TLSv1.2, TLSv1.3
      

      But not for LDAP:

      DJ_PROD1/opendj/bin/dsconfig -h openam.example.com -p 4444 -D "uid=admin" -w password -X get-connection-handler-prop --handler-name "LDAP" -n
      Property                           : Value(s)
      -----------------------------------:-------------------------------------------
      advertised-listen-address          : openam.example.com
      allow-ldap-v2                      : true
      allow-start-tls                    : true
      allowed-client                     : All clients with addresses that do not
                                         : match an address on the deny list are
                                         : allowed. If there is no deny list, then
                                         : all clients are allowed.
      denied-client                      : If an allow list is specified, then only
                                         : clients with addresses on the allow list
                                         : are allowed. Otherwise, all clients are
                                         : allowed.
      enabled                            : true
      keep-stats                         : true
      key-manager-provider               : PKCS12
      listen-address                     : 0.0.0.0
      listen-port                        : 1389
      restricted-client                  : No restrictions are imposed on the number
                                         : of connections a client can open.
      restricted-client-connection-limit : 100
      ssl-cert-nickname                  : ssl-key-pair
      ssl-cipher-suite                   : Uses the default set of SSL cipher suites
                                         : provided by the server's JVM.
      ssl-client-auth-policy             : optional
      ssl-protocol                       : Uses the default set of SSL protocols
                                         : provided by the server's JVM.
      trust-manager-provider             : PKCS12
      use-ssl                            : false
      
      

        Attachments

          Activity

            People

            • Assignee:
              michal.severin Michal Severin
              Reporter:
              cforel carole forel
              Dev Assignee:
              Nicolas Capponi
              QA Assignee:
              Michal Severin
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: