Re: (ITS#7352) openldap not supporting CAMELLIA ciphers - openldap-bugs

21 Aug 2012


      goodgoingswati@gmail.com wrote:
...
Full_Name: Swati
Version: 2.4.32
OS: RHEL5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (115.113.153.34)
openldap is not supporting CAMELLIA based ciphers(both RSA and DSA based)
I have configured SSL LDAP(LDAPS) and on checking SSL connection with LDAPS
server with CAMELLIA based cipher leads to failure in handshake:
Sounds like something is wrong with your config.
openssl s_client -connect localhost:9011 -showcerts -cipher CAMELLIA256-SHA
-state -CAfile ~/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:SSLv3 read server hello A
depth=1 C = US, ST = California, L = Los Angeles, O = Symas Corp., CN = Symas
Keymaster
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Symas Corp., OU = R&D,
CN = violino.symas.net
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=US/ST=California/L=Los Angeles/O=Symas Corp./OU=R&D/CN=violino.symas.net
   i:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster
-----BEGIN CERTIFICATE-----
MIIDeDCCAuGgAwIBAgIBBDANBgkqhkiG9w0BAQQFADBoMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNV
BAoTC1N5bWFzIENvcnAuMRgwFgYDVQQDEw9TeW1hcyBLZXltYXN0ZXIwHhcNMTAw
NTA4MTMxMTQwWhcNMTUwNTA3MTMxMTQwWjB4MQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNVBAoTC1N5
bWFzIENvcnAuMQwwCgYDVQQLFANSJkQxGjAYBgNVBAMTEXZpb2xpbm8uc3ltYXMu
bmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+UzX69iQfiHqFsfmbft8r
bbJ1B0khAMIyzbvAq+0TTXBl1z3vh/0zewfa2eXx75A+4j85VhJbmunKQtpGNZoU
j78qmlZyyadr1JDV/IP1VdkvimAY/ms/AIN7VXKbo/dMvvE2/Wlz1k6uyARHKRO0
HuDSXR+/y8wxmbssonIaoQIDAQABo4IBIDCCARwwCQYDVR0TBAIwADARBglghkgB
hvhCAQEEBAMCBkAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBRiK30dAs2UKMa0nqGuZ/ZOvHy/SzCBmgYDVR0j
BIGSMIGPgBR8WtuSd1849yXVcEj7z1a5fdXhAKFspGowaDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYD
VQQKEwtTeW1hcyBDb3JwLjEYMBYGA1UEAxMPU3ltYXMgS2V5bWFzdGVyggkAlRwa
GgnLxpUwEgYDVR0RBAswCYIHdmlvbGlubzANBgkqhkiG9w0BAQQFAAOBgQBsQgtW
fd3sjH3kou2QVI0YVh13mUdgLcFvyfI615cvhomttIfrHny2WYb9ktp7yBjsSni5
x6J0s0Xi0NnBgdfh0LNamQL06UXzEPhBwf90n+LyUq+F+9jbHSkQWlAfg+vaBWCs
NpPOOvgFPpKkzMouLrc4hVDm9yvPnCh1jV5CKQ==
-----END CERTIFICATE-----
 1 s:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster
   i:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster
-----BEGIN CERTIFICATE-----
MIIDHDCCAoWgAwIBAgIJAJUcGhoJy8aVMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5nZWxl
czEUMBIGA1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1hc3Rl
cjAeFw0xMDAyMjMwMTE0MTVaFw0yMDAyMjEwMTE0MTVaMGgxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5nZWxlczEUMBIG
A1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1hc3RlcjCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtdAxWHaiQVRn4ulkvQ/kWdeQRTlmDp0I
6ROd8UTdZWgG8pdaaSjic3oRrzXGu3yci7oCTeJj//wL6QuAiP3RAd34nvAF3G+J
4fp4AUCYhT7kM1jdGe94omQZeEjVwgr33ugvUYEbVU/fPIn/T3bnmKLifrNcPF30
UimTPNCoTvMCAwEAAaOBzTCByjAdBgNVHQ4EFgQUfFrbkndfOPcl1XBI+89WuX3V
4QAwgZoGA1UdIwSBkjCBj4AUfFrbkndfOPcl1XBI+89WuX3V4QChbKRqMGgxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5n
ZWxlczEUMBIGA1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1h
c3RlcoIJAJUcGhoJy8aVMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
MtI45poCh3L8xk0g56WGxroIPMGPZvrHDo1XIj6ALxlhpSLIcTDPFbidJ0tD9aL3
7aNlCZQ7DeJx18BhIUUgSYZj/Sfb0oXZw9Vj59c1AA7UFGnvyjKuJx4G8sIYTFFx
rYXCmXraOoB9x0+DcD/7I9ed5Ogid/tZklF9ORPjUgs=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Los Angeles/O=Symas
Corp./OU=R&D/CN=violino.symas.net
issuer=/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster
---
Acceptable client certificate CA names
/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster
---
SSL handshake has read 2166 bytes and written 290 bytes
---
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : CAMELLIA256-SHA
    Session-ID: 430EAC39338B25DF6D1CC63928DB20830BA5A034F13EAF3BE3BED715015D33C1
    Session-ID-ctx:
    Master-Key:
F38B9781E21339675D80CDC3561B4ED906A15F5A6F5A9D1A9CCFFF9E16B912D270E2E1F44135FA6CA15D5A24DB720F67
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f0 95 1a 3f 67 bf cd 43-d7 dc 70 ce a3 19 5a 4e   ...?g..C..p...ZN
    0010 - c7 2b 4e cc d5 48 df a9-7f d1 a7 b5 53 e0 35 28   .+N..H......S.5(
    0020 - fa 7f 9c 70 37 b7 65 01-b6 27 bf 88 d6 dc 8a 36   ...p7.e..'.....6
    0030 - 95 a8 2f fb 22 a6 26 3e-07 d3 9b 94 88 b7 99 de   ../.".&>........
    0040 - 78 9b ee cb 52 51 5a 50-0a 53 a2 b8 05 f6 63 de   x...RQZP.S....c.
    0050 - c4 8e e1 2e 03 1c 5d a5-6a e2 6d 05 8e 62 aa 21   ......].j.m..b.!
    0060 - f8 0e d0 5e 9f d4 89 3e-85 db b9 8f ed 04 9e 39   ...^...>.......9
    0070 - a1 3e b1 44 a2 c3 48 5c-f8 d2 ff 5f 45 ad a0 d6   .>.D..H..._E...
    0080 - d7 c3 3b 4a bd 6e c6 09-9d 08 74 d9 1c c5 6b 1b   ..;J.n....t...k.
    0090 - b1 f3 eb dc 26 ac 10 31-66 d3 fb bb 6b 9e 4b 8d   ....&..1f...k.K.
    00a0 - df ef 17 69 97 7b 56 0d-a7 32 bf 6c c6 49 fa b5   ...i.{V..2.l.I..
Compression: 1 (zlib compression)
    Start Time: 1345578708
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
...
openssl s_client -connect localhost:636 -showcerts -cipher
DHE-DSS-CAMELLIA256-SHA -state -CAfile /path_to_cert -cert /path_to_client_cert
-key /path_to_client_key
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
47726707455072:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:741:

no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 102 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
Handshake is failing with all camellia ciphers.
-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/