https://bugs.openldap.org/show_bug.cgi?id=9518
Issue ID: 9518 Summary: Configuration parameter to force TLSv1.2 (-no_tls1_3) Product: OpenLDAP Version: 2.4.50 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: client tools Assignee: bugs@openldap.org Reporter: tom.bosmans@be.ibm.com Target Milestone: ---
Hi,
I'm running into a problem during creation of an Ansible playbook that uses the community.general.ldap_entry module, which in turn depends on python-ldap , that uses the openldap libraries.
My (openldap) server is configured for TLS 1.2, but does not support TLS 1.3. openssl version: OpenSSL 1.1.1k (have tried 1.1.1g as well).
So the root cause is that openssl, if it's compiled with TLS v1.3 , will try TLS v1.3. If that doesn't work because the server does not support it, it just stops. This is madness.
openssl s_client -connect isva.test:636 -showcerts -state CONNECTED(00000003) SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL3 alert read:fatal:handshake failure SSL_connect:error in error
Now within openssl , there's a parameter that you can set to skip tls 1.3. Great. So this works. openssl s_client -connect isva.test:636 -showcerts -state -no_tls1_3 CONNECTED(00000003) SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS read server hello depth=0 CN = isva.test verify error:num=18:self signed certificate verify return:1 depth=0 CN = isva.test ...
But with ldapsearch, there's no option to pass this . I've tried changing the cipher suite in .ldaprc, but to no avail. The TLSv1.3 ciphers are always used.
[tbosmans@tbosmans-p73 ~]$ ldapsearch -x -H ldaps://isva.test -D "cn=bind,o=whatever" -w "pasword" -b "o=test" -v -d1 ldap_url_parse_ext(ldaps://isva.test) ldap_initialize( ldaps://isva.test:636/??base ) ldap_create ldap_url_parse_ext(ldaps://isva.test:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP isva.test:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.42.135:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in error TLS: can't connect: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[tbosmans@tbosmans-p73 ~]$ cat .ldaprc TLS_REQCERT never TLS_ECNAME ECDHE TLS_CIPHER_SUITE ECDHE-ECDSA-ARIA256-GCM-SHA384
So it would be great it there was an option equivalent to "-no_tls1_3" for the openldap client tools (or there may be a way to achieve this that I've missed so far).
https://bugs.openldap.org/show_bug.cgi?id=9518
--- Comment #1 from Howard Chu hyc@openldap.org --- Sounds like you should just relink your OpenLDAP server with OpenSSL 1.1.1k so that it supports TLSv1.3.
https://bugs.openldap.org/show_bug.cgi?id=9518
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |hyc@openldap.org Target Milestone|--- |2.4.59
https://bugs.openldap.org/show_bug.cgi?id=9518
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9521
https://bugs.openldap.org/show_bug.cgi?id=9518
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.4.59 |2.6.0 Assignee|hyc@openldap.org |bugs@openldap.org
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Requires development of a new configuration keyword, TLS_PROTOCOL_MAX, which is a feature enhancement. 2.4 is closed to new feature work, so that will not be until a later release.
https://bugs.openldap.org/show_bug.cgi?id=9518
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Configuration parameter to |Configuration parameter to |force TLSv1.2 (-no_tls1_3) |set max supported TLS | |protocol
https://bugs.openldap.org/show_bug.cgi?id=9518
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |TEST Status|UNCONFIRMED |RESOLVED
--- Comment #3 from Howard Chu hyc@openldap.org --- added in master
https://bugs.openldap.org/show_bug.cgi?id=9518
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.0 |2.5.4
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • 2a3b64f4 by Howard Chu at 2021-04-09T18:12:40+01:00 ITS#9518 add LDAP_OPT_X_TLS_PROTOCOL_MAX option
https://bugs.openldap.org/show_bug.cgi?id=9518
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • e0dcf4c4 by Howard Chu at 2021-04-09T19:29:11+01:00 ITS#9518 fix prev commit
https://bugs.openldap.org/show_bug.cgi?id=9518
--- Comment #6 from tom.bosmans@be.ibm.com --- Great stuff, thanks !
https://bugs.openldap.org/show_bug.cgi?id=9518
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED Resolution|TEST |FIXED
-
openldap-its@openldap.org