« Back to home

Two OpenLDAP TLS gotchas

The scenario: You’re using CentOS 7 or RHEL 7. You’re using OpenLDAP. You have TLS set up on OpenLDAP. You are trying to perform a query against the server using ldapsearch. Problem #1: You get: ldap_start_tls: Can’t contact LDAP server (-1) ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1) Possible solution: You’re using the -Z option (along with -h and -p) to specify the host and port and request TLS.…

Read more »

The other end of the POODLE

I’ve written about how to front-end your Domino servers with Apache to provide TLS up to TLS 1.2 and block SSLv3. But what about the other side of the problem? You might not be able to upgrade your Java runtime easily, particularly if you’re using IBM XPages. Well, fortunately life is easier on the consumer side of Web Services. There are some system properties which let you enable TLS on earlier Java runtimes where it’s disabled by default.…

Read more »

Playing Domino without a POODLE

If you run any kind of Internet server, you’ve hopefully heard about the POODLE vulnerability in SSL 3. If you run a Domino server, you need to worry about this, because Firefox plan to turn off SSLv3 support in their next release in a couple of weeks and remove the code in the release after that — and Chrome will follow soon after. SSLv3 is the only secure connection supported in Domino out of the box, so that could leave you with no HTTPS support.…

Read more »