TLS requirements for LDAP servers

This document describes the requirements for the SSL/TLS configuration of LDAP servers connected to Feide

TLS protocol version

Feide requires LDAP servers to support TLS version 1.2.

TLS versions 1.0 and 1.1 are supported by Feide, but support for these versions is deprecated and will be removed in the future.

Note: On Windows Server 2008 R2, TLS version 1.2 must be enabled. See Protocols in TLS/SSL (Schannel SSP) for details.

SSL version 3.0 and older is not supported by Feide.

TLS cipher suites

Feide requires LDAP servers to support at least one of the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
  • TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

The following cipher suites are supported by Feide, but are deprecated and will be removed in the future:

  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

Certificates

Feide requires LDAP servers to be configured with a certificate issued from a public certificate provider.

The Mozilla CA-bundle can be used as a reference for the list of supported root certificates in Feide.

Testing compatibility

The LDAP connection test tool can be used to test the LDAP server against these requirements.