How to enable TLS 1.3

[dungthai85]

It seems like the container is capable of TLSv1.3. When I run the command
openssl s_client -connect 127.0.0.1:10636 -tls1_3
I do get back a self-signed certificate.
When I run this command I get the cipher suite and it says the container is running TLSv.12

Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-28 15:31 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).

PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds 

I later update openldap to use TLSv1.3

changetype: modify
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.4

and I retry the command

Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-28 15:41 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).

PORT    STATE SERVICE
636/tcp open  ldapssl

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds 

It seems like LDAP doesn't accept a higher protocol. Is the container capable of TLSv1.3? If so how can I enable it?

[tiredofit]

Are you using the Self Signed certificates that get automatically created? I believe I have it hardcoded for TLS1.2 as shown here:

docker-openldap/install/assets/functions/10-openldap

Line 57 in 630fbc8

MinProtocol = TLSv1.1

[dungthai85]

Thank you for the quick reply. That was a promising spot. I wanted to test the changes in the recommended spot first. I updated the MinProtocol and MaxProtocol to TLSv1.3.
I can see that it is properly in the /certs/ldap-selfsigned-ca/ldap-selsigned-ca.conf

[tiredofit/openldap 20:40:19] # cat ldap-selfsigned-ca.conf
      [ ca ]
      default_ca = ldap-selfsigned-ca
      [ ldap-selfsigned-ca ]
      unique_subject = no
      new_certs_dir = .
      certificate = "/certs/ldap-selfsigned-ca/"/"ldap-selfsigned-ca.crt"
      database = "/certs/ldap-selfsigned-ca/"/certindex
      private_key = "/certs/ldap-selfsigned-ca/"/ldap-selfsigned-ca.key
      serial = "/certs/ldap-selfsigned-ca/"/serial
      default_days = 3650
      default_md = default
      policy = ldap-selfsigned-ca_policy
      x509_extensions = ldap-selfsigned-ca_extensions

      [ ldap-selfsigned-ca_policy ]
      commonName = supplied
      stateOrProvinceName = supplied
      countryName = supplied
      emailAddress = optional
      organizationName = supplied
      organizationalUnitName = optional

      [ ldap-selfsigned-ca_extensions ]
      basicConstraints = CA:false
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid:always
      keyUsage = digitalSignature,keyEncipherment
      extendedKeyUsage = serverAuth,clientAuth

      [ req ]
      default_bits    = 2048

      [default_conf]
      ssl_conf = ssl_sect

      [ssl_sect]
      system_default = system_default_sect

      [system_default_sect]
      MinProtocol = TLSv1.3
      MaxProtocol = TLSv1.3
      CipherString = DEFAULT

I even tried updating the TLS_CIPHER_SUITE in the yml file to

- TLS_CIPHER_SUITE=ALL:TLSv1:TLSv1.2:TLSv1.3:!NULL

This is what I get from the server

Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-30 13:43 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).

PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
|       TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
|       TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

Do you have any other ideas on how to enable the TLSv1.3?
The certificates look like they are TLSv1.3 available as

openssl s_client -connect 127.0.0.1:636 -tls1_3

Does return a certificate, But when modifying olcTLSProtocolMin from 3.3 to 3.4 all of those ciphers are removed from the list.

I don't know if this is an issue that pertains to it, but when connected I get this continuous error (I blocked off the ip)

openldap-app |635ee6aa.39dd9490 0x7f61490eeb38 TLS: can't accept: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol.
openldap-app |635ee6aa.39df1748 0x7f61498f1b38 TLS: can't accept: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low.
openldap-app |635ee6aa.39e089fc 0x7f614a108b38 TLS: can't accept: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol.
openldap-app |635ee329.0f2fe784 0x7fd3e98a2b38 conn=1382 fd=13 ACCEPT from IP=xx.x.x.1:53316 (IP=0.0.0.0:389)
openldap-app |635ee329.0f326888 0x7fd3ea0acb38 conn=1382 fd=13 closed (connection lost)
openldap-app |635ee329.0f329ed4 0x7fd3ea8afb38 conn=1383 fd=14 ACCEPT from IP=xx.x.x.1:45320 (IP=0.0.0.0:636)
openldap-app |635ee329.0f34a404 0x7fd3e9089b38 TLS: can't accept: (unknown).
openldap-app |635ee329.0f365858 0x7fd3e9089b38 conn=1383 fd=14 closed (TLS negotiation failure)

[tiredofit]

I'm wondering if since they are Self Signed that there is a CA chain issue - Are you able to generate something say via LetsEncrypt and swap them out to see if they work? I won't have some time on my own installs to look into this for a few more weeks.

[dungthai85]

Ok I will give that a try and get back at you. Thank you.