HI!
I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release 2.5.4 when connecting to an 2.4 provider:
TLS: can't connect: error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available.
An 2.4.58 consumer replica works just fine.
There is this commit in RE25 and I'm not sure whether that introduces a regression on my system:
b72bce2400ce303766f355a1dd37f4012754c942 ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1
BTW: openSUSE has implemented something like a crypto policy configuration:
https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openss...
Any clue what's going on?
Ciao, Michael.
Michael Ströder wrote:
HI!
I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release 2.5.4 when connecting to an 2.4 provider:
TLS: can't connect: error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available.
An 2.4.58 consumer replica works just fine.
There is this commit in RE25 and I'm not sure whether that introduces a regression on my system:
b72bce2400ce303766f355a1dd37f4012754c942 ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1
BTW: openSUSE has implemented something like a crypto policy configuration:
https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openss...
Any clue what's going on?
What ciphers have you configured on your client and server? What versions of OpenSSL are running on each?
Ciao, Michael.
On 5/5/21 2:51 AM, Howard Chu wrote:
Michael Ströder wrote:
I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release 2.5.4 when connecting to an 2.4 provider:
TLS: can't connect: error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available.
An 2.4.58 consumer replica works just fine.
There is this commit in RE25 and I'm not sure whether that introduces a regression on my system:
b72bce2400ce303766f355a1dd37f4012754c942 ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1
BTW: openSUSE has implemented something like a crypto policy configuration:
https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openss...
Any clue what's going on?
What ciphers have you configured on your client and server? What versions of OpenSSL are running on each?
TL;DR: If I comment TLSCipherSuite in the 2.5.4 slapd.conf everything works.
It fails when setting this in slapd provider (2.4.58) *and* consumer (2.5.4):
TLSProtocolMin 3.3 TLSCipherSuite HIGH
BTW: I didn't know that these server-side settings also affect the syncrepl-client config.
This works when connecting with 2.5.4 CLI tools to 2.4.58 server:
LDAPNOINIT=1 LDAPTLS_PROTOCOL_MIN=3.3 LDAPTLS_CIPHER_SUITE=HIGH /opt/openldap-ms/bin/ldapwhoami ..
But connecting even only with openssl s_client to 2.5.4 server does not work with the above TLSCipherSuite settings.
All systems have OpenSSL 1.1.1k. The symlink /etc/crypto-policies/back-ends/openssl.config points to /usr/share/crypto-policies/DEFAULT/openssl.txt which has this single line:
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Not sure what is really affected by this file.
You can see how RPMs are built in OBS:
https://build.opensuse.org/package/show/security:tls/openssl-1_1
https://build.opensuse.org/package/show/home:stroeder:openldap25/openldap-ms
Ciao, Michael.
Michael Ströder wrote:
Filed ITS:
Not a bug. Closing.
Ciao, Michael.
Michael Ströder wrote:
On 5/5/21 2:51 AM, Howard Chu wrote:
Michael Ströder wrote:
I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release 2.5.4 when connecting to an 2.4 provider:
TLS: can't connect: error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available.
An 2.4.58 consumer replica works just fine.
There is this commit in RE25 and I'm not sure whether that introduces a regression on my system:
b72bce2400ce303766f355a1dd37f4012754c942 ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1
BTW: openSUSE has implemented something like a crypto policy configuration:
https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openss...
Any clue what's going on?
What ciphers have you configured on your client and server? What versions of OpenSSL are running on each?
TL;DR: If I comment TLSCipherSuite in the 2.5.4 slapd.conf everything works.
It fails when setting this in slapd provider (2.4.58) *and* consumer (2.5.4):
TLSProtocolMin 3.3 TLSCipherSuite HIGH
BTW: I didn't know that these server-side settings also affect the syncrepl-client config.
This works when connecting with 2.5.4 CLI tools to 2.4.58 server:
LDAPNOINIT=1 LDAPTLS_PROTOCOL_MIN=3.3 LDAPTLS_CIPHER_SUITE=HIGH /opt/openldap-ms/bin/ldapwhoami ..
But connecting even only with openssl s_client to 2.5.4 server does not work with the above TLSCipherSuite settings.
All systems have OpenSSL 1.1.1k.
Then you're getting TLSv1.3 on these connections. Your ciphersuite config has no TLSv1.3 ciphers though; cipher suite "HIGH" only affects TLSv1.2 and below.
When you leave the suite unconfigured, it works because the hardcoded default in OpenSSL includes a set of TLSv1.3 suites. When you set the TLSCipherSuite parameter, all defaults are zeroed out and then your settings are configured.
The OpenSuSE patch you pointed to also only sets the suites for TLSv1.2 and below, it doesn't call the OpenSSL API to set TLSv1.3 suites so the hardcoded defaults are still in effect.
Change your suite config to include some actual TLSv1.3 suites and it will be fine. There's no bug here, just a change in OpenSSL behavior which is covered in their documentation. https://wiki.openssl.org/index.php/TLS1.3
I've seen in other software that they've split their cipher config to use CIPHER_LIST to configure TLSv1.2 and below, and CIPHER_SUITE to configure TLSv1.3. Since our config keyword already uses CIPHERSUITE our approach was simply to use it for both, scanning the provided string for TLSv1.3 suite names before doing the usual TLSv1.2 processing. This behavior is also in accordance with OpenSSL's own tools, which always list the TLSv1.3 ciphers along with the TLSv1.2 ciphers when you query it for configured cipher suites. I.e., even though OpenSSL itself configures them separately, it always displays the configuration as a single list, so conceptually, for us anyway, it is still a single parameter list.
The symlink /etc/crypto-policies/back-ends/openssl.config points to /usr/share/crypto-policies/DEFAULT/openssl.txt which has this single line:
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Not sure what is really affected by this file.
You can see how RPMs are built in OBS:
https://build.opensuse.org/package/show/security:tls/openssl-1_1
https://build.opensuse.org/package/show/home:stroeder:openldap25/openldap-ms
Ciao, Michael.
On 5/5/21 1:29 PM, Howard Chu wrote:
Michael Ströder wrote:
TLSProtocolMin 3.3 TLSCipherSuite HIGH
Then you're getting TLSv1.3 on these connections. Your ciphersuite config has no TLSv1.3 ciphers though; cipher suite "HIGH" only affects TLSv1.2 and below.
Ah sorry. I've wrongly implied that OpenSSL automagically chooses appropriate TLSv1.3 ciphers for HIGH.
Change your suite config to include some actual TLSv1.3 suites and it will be fine. There's no bug here, just a change in OpenSSL behavior which is covered in their documentation. https://wiki.openssl.org/index.php/TLS1.3
Thanks for your explanations.
Your text seems worth to be added herein:
https://www.openldap.org/doc/admin25/guide.html#More%20extensive%20TLS%20con...
Ciao, Michael.
Michael Ströder wrote:
On 5/5/21 1:29 PM, Howard Chu wrote:
Michael Ströder wrote:
TLSProtocolMin 3.3 TLSCipherSuite HIGH
Then you're getting TLSv1.3 on these connections. Your ciphersuite config has no TLSv1.3 ciphers though; cipher suite "HIGH" only affects TLSv1.2 and below.
Ah sorry. I've wrongly implied that OpenSSL automagically chooses appropriate TLSv1.3 ciphers for HIGH.
Change your suite config to include some actual TLSv1.3 suites and it will be fine. There's no bug here, just a change in OpenSSL behavior which is covered in their documentation. https://wiki.openssl.org/index.php/TLS1.3
This appears to be one of the things they changed between OpenSSL 1.1.0 and 1.1.1. It's overall pretty user-unfriendly, I've submitted a patch to them to make things a little easier. https://github.com/openssl/openssl/pull/15161
Perhaps this problem can go away in a future OpenSSL release.
Thanks for your explanations.
Your text seems worth to be added herein:
https://www.openldap.org/doc/admin25/guide.html#More%20extensive%20TLS%20con...
Ciao, Michael.
Michael Ströder wrote:
On 5/5/21 1:29 PM, Howard Chu wrote:
Michael Ströder wrote:
TLSProtocolMin 3.3 TLSCipherSuite HIGH
Then you're getting TLSv1.3 on these connections. Your ciphersuite config has no TLSv1.3 ciphers though; cipher suite "HIGH" only affects TLSv1.2 and below.
Ah sorry. I've wrongly implied that OpenSSL automagically chooses appropriate TLSv1.3 ciphers for HIGH.
Change your suite config to include some actual TLSv1.3 suites and it will be fine. There's no bug here, just a change in OpenSSL behavior which is covered in their documentation. https://wiki.openssl.org/index.php/TLS1.3
Thanks for your explanations.
Your text seems worth to be added herein:
https://www.openldap.org/doc/admin25/guide.html#More%20extensive%20TLS%20con...
With this patch https://git.openldap.org/openldap/openldap/-/commit/cd3567d750b653949e50b624... the above problem will no longer occur. That is, if your ciphersuite doesn't contain any TLS1.3 ciphers, then the existing TLS1.3 ciphersuites will not be changed. So you'll get the compiled-in defaults if nothing else was changed. That means you can continue to use old configs without any further changes. I don't think there's any security weakness here since the compiled-in defaults are strong. Just a question of whether it's better to force sysadmins to be cognizant of TLS1.3 or let them keep going on without thinking about it.
On 5/6/21 9:30 PM, Howard Chu wrote:
With this patch https://git.openldap.org/openldap/openldap/-/commit/cd3567d750b653949e50b624... the above problem will no longer occur.> That is, if your ciphersuite doesn't contain any TLS1.3 ciphers, then the existing TLS1.3 ciphersuites will not be changed. So you'll get the compiled-in defaults if nothing else was changed. That means you can continue to use old configs without any further changes.
That's helpful and will avoid lots of questions on the mailing lists.
Ciao, Michael.
-
Howard Chu -
Michael Ströder