[OPENDJ-7305] LDAP connector is not hardened in production mode Created: 23/Jun/20  Updated: 02/Jul/20  Resolved: 02/Jul/20

Status: Done
Project: OpenDJ
Component/s: security
Affects Version/s: 7.0.0
Fix Version/s: 7.0.0

Type: Bug Priority: Critical
Reporter: carole forel Assignee: Michal Severin [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: Verified

Epic Link: Bugs 7.0
Story Points: 0.5
Dev Assignee: Nicolas Capponi
QA Assignee: Michal Severin [X] (Inactive)

 Description   

Now that production mode is enabled by default, it should only allow TLSv1.2 and TLSv1.3 and only enabling certain cipher suites.

It seems ok for LDAPS/Admin connector:

Administration Connector:

10)  ssl-cipher-suite                   
 
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

11)  ssl-protocol                        TLSv1.2, TLSv1.3

But not for LDAP:

DJ_PROD1/opendj/bin/dsconfig -h openam.example.com -p 4444 -D "uid=admin" -w password -X get-connection-handler-prop --handler-name "LDAP" -n
Property                           : Value(s)
-----------------------------------:-------------------------------------------
advertised-listen-address          : openam.example.com
allow-ldap-v2                      : true
allow-start-tls                    : true
allowed-client                     : All clients with addresses that do not
                                   : match an address on the deny list are
                                   : allowed. If there is no deny list, then
                                   : all clients are allowed.
denied-client                      : If an allow list is specified, then only
                                   : clients with addresses on the allow list
                                   : are allowed. Otherwise, all clients are
                                   : allowed.
enabled                            : true
keep-stats                         : true
key-manager-provider               : PKCS12
listen-address                     : 0.0.0.0
listen-port                        : 1389
restricted-client                  : No restrictions are imposed on the number
                                   : of connections a client can open.
restricted-client-connection-limit : 100
ssl-cert-nickname                  : ssl-key-pair
ssl-cipher-suite                   : Uses the default set of SSL cipher suites
                                   : provided by the server's JVM.
ssl-client-auth-policy             : optional
ssl-protocol                       : Uses the default set of SSL protocols
                                   : provided by the server's JVM.
trust-manager-provider             : PKCS12
use-ssl                            : false


 Comments   
Comment by Michal Severin [X] (Inactive) [ 02/Jul/20 ]

Verified on OpenDJ 7.0.0-SNAPSHOT rev. 9a3f6c2f35a

Generated at Sat Feb 27 22:16:55 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.