0

I am looking to set a third party application to authenticate with our domain. The application supports LDAPv3 and we have opted to use the start StartTLS extension to encrypt the credentials from the source host application towards the domain server.

Having said this, I am at a loss as to what TLS version is used in StartTLS. Given the older versions are less acceptable, we would like to opt to allow only the later version (1.2, 1.3) of TLS be accepted.

My question therefore is;

What TLS version is used/supported for StartTLS?

Ángel
  • 17,578
  • 3
  • 25
  • 60
arbi
  • 1
  • 1
  • Isn't this going to depend on your local environment? Your LDAP server is the determining constraint. – schroeder Jul 08 '20 at 08:49
  • Why do you want to use opportunistic TLS in an LDAP environment? Shouldn't all credentials be sent encrypted? – schroeder Jul 08 '20 at 08:51
  • My constraint is on the application since it supports LDAPv3. LDAP server itself supports encryption, so I believe StartTLS would be adequate to encrypt from application to domain server, unless there is an better alternative that is. – arbi Jul 08 '20 at 09:08
  • ... ok, then there you go? Look up the documentation for the client? – schroeder Jul 08 '20 at 09:52

1 Answers1

3

I don't have an LDAP server to test this with, but if you have openssl 1.1.1, then you should be able to use opensssl s_client to connect to your LDAP server and then proceed with the protocol to upgrade the connection to SSL/TLS using STARTTLS, using a command along the lines of:

 openssl s_client -starttls ldap -crlf -connect host.domain.tld:port

See https://www.openssl.org/docs/man1.1.1/man1/openssl-s_client.html for more info.

Then, you can use options with the above command such as -ssl3 -tls1 -tls1_1 -tls1_2 -tls1_3 -no_ssl3 -no_tls1 -no_tls1_1 -no_tls1_2 -no_tls1_3, etc. to restrict/allow openssl to connect using various SSL/TLS protocols in order to see which ones the server supports. Referring to the above reference at openssl.org, you can see that there are also options that you can use to restrict/allow various ciphers as well.

As I mentioned above, I don't have an LDAP server to test this on, but the process would be similar to that of using openssl s_client to test the versions of SSL/TLS supported by an SMTP server configured for STARTTLS. For example, the following command initiates a connection to Gmail's SMTP server on port 587, then upgrades the connection to SSL/TLS via STARTTLS:

openssl s_client -starttls smtp -crlf -connect smtp.gmail.com:587

You can see from the output of the command that the connection is secured using TLS1.3. So, now we know that Gmail's SMTP server supports TLSv1.3. So, next, run a similar command, but add the -no_tls1_3 option to prevent openssl from using TLS1.3:

 openssl s_client -starttls smtp -crlf -connect smtp.gmail.com:587 -no_tls1_3

You'll see from the output of the command that TLS1.2 was used to secure the connection. Now we know that Gmail's SMTP server supports TLS1.3 and TLS1.2, So, next, run a similar command, but add -no_tls1_2 in addition to -no_tls1_3:

openssl s_client -starttls smtp -crlf -connect smtp.gmail.com:587 -no_tls1_3 -no_tls1_2

You'll see that the connection was secured using TLS1.1. If you keep repeating the process, eventually you'll get to a point where you've eliminated all of the TLS/SSL versions that the server supports, and the connection will fail. At that point, you'll know all of the TLS/SSL versions that the server supports.

From the openssl reference that I linked to above, it seems that in openssl 1.1.1, they've added support for LDAP with openssl s_client -starttls. So, you ought to be able to follow a procedure similar to the above to use openssl to see which TLS versions are supported by your LDAP server.

mti2935
  • 19,868
  • 2
  • 45
  • 64