Mainframe Cybersecurity & Compliance

 View Only

 CA LDAP r15.1 Vulnerability Issues

  • Mainframe Cybersecurity & Compliance
  • LDAP
James McGinley's profile image
James McGinley posted Jul 16, 2024 03:38 PM

Good afternoon,

                            Just joined and hoping someone from the community has resolved similar issues.

Our CA LDAP servers are getting flagged during Qualys vulnerability reporting for "Weak Key Exchange" port 636 or 637.

I have added the following statements to the slapd.conf

TLSProtocolMin tls1.2

TLSDhMinKeySize 2048
TLSDsaMinKeySize 2048
TLSEccMinKeySize 194
TLSRsaMinKeySize 2048

Have not been able to correct this problem. Has anyone dealt with this before?

Regards,

Jamie


#LDAP

James McGinley's profile image
James McGinley posted Jul 29, 2024 09:56 AM

I was able to sort this out. The following TLSCipherSuite statement in slapd.conf worked:

TLSCipherSuite AES256-SHA:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:ECDHE-RSA-AES256-SHA

TLS: configured cipher suites:
TLS: 0035: Kx=RSA   Au=RSA   Enc=AES(256)  Mac=SHA1B
TLS: C014: Kx=ECDHE Au=RSA   Enc=AES(256)  Mac=SHA1
TLS: C028: Kx=ECDHE Enc=AES(256)  Mac=SHA384
TLS: C030: Kx=ECDHE Enc=AES(256)  Mac=AEAD
TLS: C032: Kx=ECDH  Enc=AES(256)  Mac=AEAD
TLS: available cipher suites from gsk_get_all_cipher_suites():

The older cipher suites used cipher keyword names (0035 & C014). The newer cipher suites would only work with cipher suite names. Specifying cipher suite codes did not work and Broadcom support is looking into that issue.

Our CA LDAP vulnerability report is clean now


#LDAP