Adjust LDAP_TLS_CIPHER_SUITE to Red Hat's TLS hardening guide

jgehrcke · jgehrcke · commit 996545849784 · 2016-07-20T19:14:21.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,10 @@
 # Changelog
 
 ## 1.1.4
-Remove TLS environment variable LDAP_TLS_PROTOCOL_MIN, see #69
-
+- Remove environment variable LDAP_TLS_PROTOCOL_MIN as it takes no effect, see #69.
+- Adjust default GnuTLS cipher string according to Red Hat's TLS hardening guide.
+  This by default also restricts the TLS protocol version to 1.2. For reference,
+  see #69.
 
 ## 1.1.3
 Merge pull request :
diff --git a/README.md b/README.md
@@ -253,7 +253,7 @@ TLS options:
 - **LDAP_TLS_KEY_FILENAME**: Ldap ssl certificate private key filename. Defaults to `ldap.key`
 - **LDAP_TLS_CA_CRT_FILENAME**: Ldap ssl CA certificate  filename. Defaults to `ca.crt`
 - **LDAP_TLS_ENFORCE**: Enforce TLS. Defaults to `false`
-- **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:-VERS-SSL3.0`
+- **LDAP_TLS_CIPHER_SUITE**: TLS cipher suite. Defaults to `SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC`, based on Red Hat's [TLS hardening guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Hardening_TLS_Configuration.html)
 - **LDAP_TLS_VERIFY_CLIENT**: TLS verify client. Defaults to `demand`
 
 	Help: http://www.openldap.org/doc/admin24/tls.html
diff --git a/example/extend-osixia-openldap/environment/my-env.yaml.startup b/example/extend-osixia-openldap/environment/my-env.yaml.startup
@@ -23,7 +23,7 @@ LDAP_TLS_KEY_FILENAME: cert.key
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
 LDAP_TLS_ENFORCE: false
-LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
+LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
 LDAP_TLS_VERIFY_CLIENT: never
 
 # Replication
diff --git a/example/kubernetes/simple/ldap-rc.yaml b/example/kubernetes/simple/ldap-rc.yaml
@@ -54,7 +54,7 @@ spec:
             - name: LDAP_TLS_ENFORCE
               value: "false"
             - name: LDAP_TLS_CIPHER_SUITE
-              value: "SECURE256:-VERS-SSL3.0"
+              value: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
             - name: LDAP_TLS_VERIFY_CLIENT
               value: "demand"
             - name: LDAP_REPLICATION
diff --git a/example/kubernetes/using-secrets/environment/my-env.yaml.startup b/example/kubernetes/using-secrets/environment/my-env.yaml.startup
@@ -23,7 +23,7 @@ LDAP_TLS_KEY_FILENAME: cert.key
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
 LDAP_TLS_ENFORCE: false
-LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
+LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
 LDAP_TLS_VERIFY_CLIENT: never
 
 # Replication
diff --git a/image/environment/default.yaml.startup b/image/environment/default.yaml.startup
@@ -28,7 +28,7 @@ LDAP_TLS_KEY_FILENAME: ldap.key
 LDAP_TLS_CA_CRT_FILENAME: ca.crt
 
 LDAP_TLS_ENFORCE: false
-LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
+LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
 LDAP_TLS_VERIFY_CLIENT: demand
 
 # Replication
