TLS requirements for LDAP servers
This document describes the requirements for the SSL/TLS configuration of LDAP servers connected to Feide
TLS protocol version
Feide requires LDAP servers to support TLS version 1.2.
Note: On Windows Server 2008 R2, TLS version 1.2 must be enabled. See Protocols in TLS/SSL (Schannel SSP) for details.
TLS 1.1, TLS 1.0, SSL version 3.0 and older is not supported by Feide.
TLS cipher suites
Feide requires LDAP servers to support at least one of the following cipher suites:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Certificates
Feide requires LDAP servers to be configured with a certificate issued from a public certificate provider.
The Mozilla CA-bundle can be used as a reference for the list of supported root certificates in Feide.
Testing compatibility
The LDAP connection test tool can be used to test the LDAP server against these requirements.