I am trying to modify our SSL Ciphers for slapd using ldapmodify on CentOS7.
openldap-2.4.44-25 is used.
The ciphers I am using are the ones recommended by Red Hat for RHEL7: Strongest available ciphers only
olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL
My ldif file looks like this:
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL
The command I am running locally is:
ldapmodify -Y EXTERNAL -H ldapi:/// -f ciphers.ldif
What I get is a truncated line:
olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-HA256:!RC4:HIGH:!MD5:!aNU$
LL:!EDH:!EXP:!SSLV2:!eNULL$
The dollar at the end of each line is just the EOL enabled in vim to show that ldapmodify creates an EOL in the middle of the string.
What am I missing?
I tried to use quotes around the string but it did not help.
Using this string also truncates the attribute:
olcTLSCipherSuite: EECDH:EDH:CAMELLIA:ECDH:RSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
However, using a shorter one works as expected:
olcTLSCipherSuite: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW