まずは問題の存在を確認。
# nmap -Pn -p T:636 --script ssl-enum-ciphers localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000085s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.0
| Ciphers (17)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_ECDHE_RSA_WITH_RC4_128_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
| TLS_RSA_EXPORT_WITH_RC4_40_MD5
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| TLS_RSA_WITH_SEED_CBC_SHA
| Compressors (1)
|_ uncompressed
OpenLDAP+OpenSSLを使っているので、olcTLSCipherSuiteの設定でExport grade cipherを無効にする。
OpenLDAP+GnuTLSを使っている場合は自分で調べてください。
slapdを再起動。# cat tls-cipher.ldif dn: cn=config add: olcTLSCipherSuite olcTLSCipherSuite: ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM # ldapmodify -Y EXTERNAL -H ldapi:/// -f tls-cipher.ldif
対応が出来ていることを確認。# service slapd restart
# nmap -Pn -p T:636 --script ssl-enum-ciphers localhost Nmap scan report for localhost (127.0.0.1) Host is up (0.00011s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.0 | Ciphers (12) | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_RSA_WITH_RC4_128_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | TLS_RSA_WITH_SEED_CBC_SHA | Compressors (1) |_ uncompressed
