Thomas Cramer
2005-Nov-22 22:00 UTC
[Fedora-directory-users] Require SSL/TLS Only Connections
I would like to require that *only* SSL/TLS connections be allowed to my server. This is not to be confused with wanting SSL client authentication. I had initially thought I could do this with ACI using the authmethod="ssl", however after looking at the documentation closely and experimentation this refers to do client based SSL authentication as well. I do have SSL/TLS set up correctly, I just want to disallow non-encrypted traffic. In OpenLDAP I would merely state "security ssf=128" to require SSL/TLS only connections. Anyone know how to do this in FDS? =tc
Ulf Weltman
2005-Nov-23 04:39 UTC
Re: [Fedora-directory-users] Require SSL/TLS Only Connections
Hello Thomas. You can disable the plain LDAP port by setting nsslapd-port to 0 in dse.ldif. The errors log should say that the non-secure port is disabled when you start up again. I don''t think there''s a way to get the server to require successful start-TLS on the plain port before accepting any other operations. Thomas Cramer wrote:> I would like to require that *only* SSL/TLS connections be allowed to > my server. This is not to be confused with wanting SSL client > authentication. I had initially thought I could do this with ACI > using the authmethod="ssl", however after looking at the documentation > closely and experimentation this refers to do client based SSL > authentication as well. I do have SSL/TLS set up correctly, I just > want to disallow non-encrypted traffic. > > > In OpenLDAP I would merely state "security ssf=128" to require SSL/TLS > only connections. > > Anyone know how to do this in FDS? > > > > => tc > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
David Boreham
2005-Nov-23 16:22 UTC
Re: [Fedora-directory-users] Require SSL/TLS Only Connections
>> I would like to require that *only* SSL/TLS connections be allowed to >> my server. This is not to be confused with wanting SSL client >> authentication. I had initially thought I could do this with ACI >> using the authmethod="ssl", however after looking at the >> documentation closely and experimentation this refers to do client >> based SSL authentication as well. I do have SSL/TLS set up >> correctly, I just want to disallow non-encrypted traffic. >This is interesting. I swear that we had a ''transport security type'' aci las type. I remember talking about it as if it existed many times. However, when I look at the code I see that you are correct : the ''authmethod'' thing is really looking for SASL_EXTERNAL/SSL authentication, and not SSL used as transport. Something for the todo list perhaps would be to add transport type: encrypted or not and so on.