TLS requirements for LDAP servers

This document describes the requirements for the SSL/TLS configuration of LDAP servers connected to Feide

TLS protocol version

Feide requires LDAP servers to support TLS version 1.2.

Note: On Windows Server 2008 R2, TLS version 1.2 must be enabled. See Protocols in TLS/SSL (Schannel SSP) for details.

TLS 1.1, TLS 1.0, SSL version 3.0 and older is not supported by Feide.

Feide requires LDAP servers to support at least one of the following cipher suites:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Feide requires LDAP servers to be configured with a certificate issued from a public certificate provider.

The Mozilla CA-bundle can be used as a reference for the list of supported root certificates in Feide.

The LDAP connection test tool can be used to test the LDAP server against these requirements.