Created by Jasper de Keijzer
Introduction
To improve the security of the LDAP driver on UNIX, we’ve updated the the driver to support network profiles defined in the Uniface ASN file. This means that in the NET_SETTINGS, you can define chapter ciphers and protocols in a profile; then you can refer to the profile in the driver settings. In this blog you’ll learn about what these settings do and how you can use these settings to improve the security of your environments. As a system administrator you can use the min_tls_version and the cipher_suite settings to set the minimum required protocol and cipher for the network connection, preventing the server from downgrading to a non-secure TLS version or cipher during a connection negotiation.
The additional settings are only available on UNIX or Linux systems with the open LDAP installed.
The network security setup on Windows depends largely on the system setup and cannot be influenced by the net profile setting as described in this blog.
Current driver settings
The LDAP driver is created as a database driver and thus has the driver settings in the ASN file.
Here’s an example:
[driver_settings]
LDP = U3.0
USYS$LDP_PARAMS nulldefault=N, addbase=off
During a previous security update, we extended the driver settings with a TLS setting.
USYS$LDP_PARAMS nulldefault=N, addbase=off, TLS server validation=ignore_name
The settings:
USYS$LDP_PARAMS { = } tls ca file | tlscafil=PemFile
The pem file is the fully-qualified file name of the CA certificate in PEM format.
And we have the option to define the ca file directory.
USYS$LDP_PARAMS { = } tls ca directory | tlscadir =CaDir
New driver settings
For Linux and other UNIX systems, first, we introduce the settings min_tls_version and cipher_list. Then, in the driver settings string, we add the net_profile setting which points to a profile in the NET_SETTINGS chapter.
In the following example, we define a profile in the NET_SETTINGS and then we refer to it from the driver settings:
[NET_SETTINGS]
ldap_settings= verify_server=yes, verify_server_name=true, ca_certificate=/UNI1040120/ca-bundle.crt, min_tls_version=1.2,cipher_list=HIGH
[DRIVER_SETTINGS]
LDP = U3.0
USYS$LDP_PARAMS nulldefault=N, addbase=off, net_profile=”ldap_settings”
Important notice
When a profile is defined, and one of the mentioned settings is found in the profile, all network related driver-options are ignored. Also, when one of the network options is found in the network profile, the LDAP driver will switch to a TLS connection.
Mappings in the settings explained
The following table gives an overview of the existing driver settings and the network profile settings which replace the associated driver settings when a net_profile is used. As mentioned in the notice, when one of the options in the second column is found in the used network profile, the LDAP driver will switch to TLS and ignore the settings mentioned in the first column of this table.
|
LDAP driver setting
|
Net settings
|
Description and Open LDAP setting
|
|
tlscadir
|
ca_location
|
Open LDAP setting: LDAP_OPT_X_TLS_CACERTDIR.
Directory containing the CA certificates with hashed file names. Sets the path of the directories containing CA certificates.
|
|
tlscafil
|
ca_certificate
|
Open LDAP setting: LDAP_OPT_X_TLS_CACERTFILE
Sets/ the full-path of the CA certificate file.
|
|
Min_tls_version
|
LDAP_OPT_X_TLS_PROTOCOL_MIN
1.1 | 1.2 (default)
Open LDAP does not yet support version 1.3.
|
|
tls server validation = validate | ignore_name
|
Verify_server = no (default) | yes
|
Disable server certificate validation when set to “no”.
Maps to the “validate” option when set to “yes”
|
|
tls server validation = validate|ignore_name
|
Verify_server_name = no (default) | yes
|
Maps to the “ignore_name” option when set to “no”
|
|
Cipher_list=<cipherlistt>
|
Defines the list of ciphers used in the connection. Or options like ALL | DEFAULT | LOW | MEDIUM | HIGH
|
Summary
If you have any comments or questions, please start a discussion in the Uniface forums.
Here are some useful links to documentation on the mentioned options:
LDAP Connector options
#tofp