-
All replies
-
Helpful answers
-
Aug 24, 2016 10:02 AM in response to mdsahby ionepoch,From a prior answer:
>> Those services are not exposed to the Internet and it should make little difference how secure they are.
How do you know that the author of this question doesn't have his server exposed to the internet or a wider network?
>> In any case, they are plenty secure enough
Really?
>> and you can't make them more so.
Wrong
I understand the answer-er basically means "for most people on an internal network, this is probably good enough" ... I get that... but I don't think it's ideal to spread the message of weaker security today.
So how do you fix this?
Determine what the weakness is:
When running https://testssl.sh/ against the ldap server:
- /testssl.sh your.macserver.com:636
Old Config Shows:
SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) Version tolerance downgraded to TLSv1.2 (OK) SPDY/NPN not offered HTTP2/ALPN not offered Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher AES256-GCM-SHA384 Cipher order TLSv1: AES256-SHA DHE-RSA-AES256-SHA AES128-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA TLSv1.1: AES256-SHA DHE-RSA-AES256-SHA AES128-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA TLSv1.2: AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES256-SHA256 AES256-SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 AES128-SHA256 DHE-RSA-AES128-SHA256 AES128-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
The above doesn't actually look that bad... excepts for what we know about TLS 1.0.
Now Fix It
** You cannot modify slapd.conf files directly... you must use the ldapmodify command ... otherwise you will get CRC checksum errors upon ldap boot when it realizes someone was screwing with the file **
To fix this, we create an ldif file for the solution (and a rollback just in case):
- vi slapd2.ldif (Min TLS 1.2)
dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: TLS_RSA_WITH_NULL_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA256:TLS_RSA_WITH_AES_256_CBC_SHA256:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_DH_RSA_WITH_AES_128_CBC_SHA256:TLS_DH_RSA_WITH_AES_256_CBC_SHA256:TLS_DH_RSA_WITH_AES_128_GCM_SHA256:TLS_DH_RSA_WITH_AES_256_GCM_SHA384:TLS_DH_DSS_WITH_AES_128_CBC_SHA256:TLS_DH_DSS_WITH_AES_256_CBC_SHA256:TLS_DH_DSS_WITH_AES_128_GCM_SHA256:TLS_DH_DSS_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_DH_anon_WITH_AES_128_CBC_SHA256:TLS_DH_anon_WITH_AES_256_CBC_SHA256:TLS_DH_anon_WITH_AES_128_GCM_SHA256:TLS_DH_anon_WITH_AES_256_GCM_SHA384:RSA_WITH_AES_128_CCM:RSA_WITH_AES_256_CCM:DHE_RSA_WITH_AES_128_CCM:DHE_RSA_WITH_AES_256_CCM:RSA_WITH_AES_128_CCM_8:RSA_WITH_AES_256_CCM_8:DHE_RSA_WITH_AES_128_CCM_8:DHE_RSA_WITH_AES_256_CCM_8:ECDHE_ECDSA_WITH_AES_128_CCM:ECDHE_ECDSA_WITH_AES_256_CCM:ECDHE_ECDSA_WITH_AES_128_CCM_8:ECDHE_ECDSA_WITH_AES_256_CCM_8:TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256:TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
- vi rollback.ldif (this is only here just in case you want to revert - don't use this)
# cat rollback.ldif # This is technically weak!!! dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: HIGH
Now Make the Change
Then, on the Mac, we execute the change:
- You need to know the "diradmin" password for your mac directory server (see here if you don't have this)
- dc=SERVERHOSTNAME,dc=COMPANY,dc=COM needs to be swapped out with your server info
-- for example, operations.yourcompany.com would become dc=operations,dc=yourcompany,dc=com
- ldapmodify -v -D "uid=diradmin,cn=users,dc=SERVERHOSTNAME,dc=COMPANY,dc=COM" -h 127.0.0.1 -W -f slapd2.ldif
- The above will prompt you for the diradmin password.
If successful... it will say something like this:
ldap_initialize( ldap://127.0.0.1 ) Enter LDAP Password: replace olcTLSCipherSuite: TLS_RSA_WITH_NULL_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA256:TLS_RSA_WITH_AES_256_CBC_SHA256:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_DH_RSA_WITH_AES_128_CBC_SHA256:TLS_DH_RSA_WITH_AES_256_CBC_SHA256:TLS_DH_RSA_WITH_AES_128_GCM_SHA256:TLS_DH_RSA_WITH_AES_256_GCM_SHA384:TLS_DH_DSS_WITH_AES_128_CBC_SHA256:TLS_DH_DSS_WITH_AES_256_CBC_SHA256:TLS_DH_DSS_WITH_AES_128_GCM_SHA256:TLS_DH_DSS_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_DH_anon_WITH_AES_128_CBC_SHA256:TLS_DH_anon_WITH_AES_256_CBC_SHA256:TLS_DH_anon_WITH_AES_128_GCM_SHA256:TLS_DH_anon_WITH_AES_256_GCM_SHA384:RSA_WITH_AES_128_CCM:RSA_WITH_AES_256_CCM:DHE_RSA_WITH_AES_128_CCM:DHE_RSA_WITH_AES_256_CCM:RSA_WITH_AES_128_CCM_8:RSA_WITH_AES_256_CCM_8:DHE_RSA_WITH_AES_128_CCM_8:DHE_RSA_WITH_AES_256_CCM_8:ECDHE_ECDSA_WITH_AES_128_CCM:ECDHE_ECDSA_WITH_AES_256_CCM:ECDHE_ECDSA_WITH_AES_128_CCM_8:ECDHE_ECDSA_WITH_AES_256_CCM_8:TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256:TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 modifying entry "cn=config" modify complete
Next Restart LDAP
Next, kick slapd... don't worry.. it should instantaneously restart:
# ps ax | grep slapd 34742 ?? Ss 0:00.81 /usr/libexec/slapd -d 0 -h ldap:/// ldapi://%2Fvar%2Frun%2Fldapi 34814 s001 S+ 0:00.00 grep slapd # kill 34742 # ps ax | grep slapd 34753 ?? Ss 0:00.81 /usr/libexec/slapd -d 0 -h ldap:/// ldapi://%2Fvar%2Frun%2Fldapi 34819 s001 S+ 0:00.00 grep slapd ## ^^^ see... launchd or whatever auto-restarts slapd for us
Then .. tail the opendirectory slapd log to see if there are any errors... this looks normal-ish
# tail -n100 -f /var/log/slapd.log # This is good-ish: Aug 23 15:47:09 -- slapd[34742]: daemon: SLAP_SOCK_INIT: dtblsize=8192 Aug 23 15:47:09 -- slapd[34742]: PROXIED attributeDescription "DC" inserted. Aug 23 15:47:09 -- slapd[34742]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:blah.yourcompany.com" Aug 23 15:47:09 -- slapd[34742]: slap_add_listener: opened additional listener 'ldaps:///' Aug 23 15:47:09 -- slapd[34742]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable Aug 23 15:47:09 -- slapd[34742]: slapd starting Aug 23 15:47:09 -- slapd[34742]: daemon: posting com.apple.slapd.startup notification # If you screwed up... you'll see errors like this (i'm just putting this here so you get the idea of what a problem would look like) ***** Aug 23 15:33:42 -- slapd[34547]: TLS: could not parse cipher spec AES256-SHA (check TLSCipherSuite setting) ***** ***** Aug 23 15:33:42 -- slapd[34547]: main: TLS init def ctx failed: -1 ***** ***** Aug 23 15:33:42 -- slapd[34547]: main: Enabling TLS failed; continuing with TLS disabled. *****
Provided there are no errors... you should be good to go. Run some login smoke tests to ensure **** still works.
* Normal warnings and disclosures:
-- Make sure you have a backup of your opendirectory configs **before** making any changes
-- Use this at your own risk as your server may be different than ours
-- -- (it works for us / we've applied this to 3 different servers running El Cap 10.11.6 + Server 5.1.7)
-- -- Any client applications that try and auth that are incapable of speaking TLS 1.2 will not work
-- -- It is questionable if a future apple upgrade will either a) just work, b) erase these settings, c) fail to upgrade properly because apple may not support TLS 1.2 in all of their upgrade scripts? I don't know. Things to think about.
-- However, if your goal is to get rid of weak ciphers, I believe this is an acceptable answer.
Hope this helps.