I am running into issues on RHEL 6.x servers (mix of 6.5 and now
6.6) when attempting to disable SSLv3. I have compiled the servers
with the --with-tls=openssl option and communication appears to be
working well between servers to matter what I have for SSL
Protocol. My problems are with the clients.
For client configuration I install the openldap-clients package via
yum install. Everything works as expected with this setting on the
server side:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2
as soon as I modify the +SSLv3 to -SSLv3 to this:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
the client no longer works. I have tried just about everything I
can think of. I can get ldapsearch to work properly when I
compile the openldap source on the client but sssd / authentication
on the Red Hat side still fails. Here is the error message I am
getting:
54481b75 slap_listener_activate(8):
54481b75 >>> slap_listener(ldaps://blah)
54481b75 connection_get(38): got connid=1009
54481b75 connection_read(38): checking for input on id=1009
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello C
TLS trace: SSL_accept:error in SSLv3 read client hello C
TLS: can't accept: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher.
54481b75 connection_read(38): TLS accept failure error=-1 id=1009,
closing
54481b75 connection_close: conn=1009 sd=38
I am assuming this has something to do with RHEL clients linking to
MozNSS libraries instead of openssl but can not be sure of that.
Again, to be clear - I do not change anything but the
olcTLSCipherSuite entry so I do not believe it is a certificate
issue.
Is there a solution to LDAP auth for RHEL clients with only allowind
TLSv1.2? I will gladly compile from source or use the LTB Project
rpms.
Thanks in advance,
--
Peter Boguszewski
Manager of Library Systems
UW Madison - Library Technology Group
pboguszewski@library.wisc.edu
608.262.4768