I have an openldap server, and I'm trying to tune my TLSCipherSuite settings to be as secure as I can have them.
Please do not critique my actual security settings. Please just help me understand what is happening.
I am editing the /etc/openldap/slapd.conf file, and I am using slaptest to convert that file into the /etc/openldap/slapd.d configuration directory. I am using sslscan to list the ciphers available for use.
I started with
TLSCipherSuite HIGH:MEDIUM:-SSLv2:+SSLv3
and sslscan tells me
$ sslscan --no-failed hostname:636 | grep Accepted
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 256 bits CAMELLIA256-SHA
[...]
Accepted TLS12 112 bits DES-CBC3-SHA
Accepted TLS12 112 bits ECDHE-RSA-RC4-SHA
Accepted TLS12 112 bits RC4-SHA
Accepted TLS12 112 bits RC4-MD5
$ sslscan --no-failed hostname:636 | grep Accepted | wc -l
72
From there, I took out MEDIUM
TLSCipherSuite HIGH:-SSLv2:+SSLv3
$ sslscan --no-failed hostname:636 | grep Accepted | wc -l
57
Better. Then I tried to remove SHA1, and here's where I get completely confused.
TLSCipherSuite HIGH:-SSLv2:+SSLv3:-SHA
$ sslscan --no-failed hostname:636 | grep Accepted | wc -l
91
$ sslscan --no-failed hostname:636 | grep Accepted
[...]
Accepted TLS12 112 bits RC4-SHA
Accepted TLS12 112 bits RC4-MD5
Accepted TLS12 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLS12 56 bits DES-CBC-SHA
Accepted TLS12 0 bits ECDHE-RSA-NULL-SHA
Accepted TLS12 0 bits NULL-SHA
Accepted TLS12 0 bits NULL-MD5
So my question is ... what happened here, that I tried to remove some ciphers from my accepted list, and instead, I added a bunch? What did I do wrong?
Again, please do not critique my actual security settings. Please just help me understand what is happening.
