Good Day,
Working on moving from RHEL6 to RHEL8. Given the drop in support for openldap in RHEL8 I've installed the symas-openldap distros.
Here are the versions in play:
cat /etc/redhat-release Red Hat Enterprise Linux release 8.2 (Ootpa)
sudo yum list installed | grep openldap openldap.x86_64 2.4.46-9.el8 @rhel-8-for-x86_64-baseos-rpms symas-openldap.x86_64 2.4.55-1.el8 @sofl symas-openldap-clients.x86_64 2.4.55-1.el8 @sofl symas-openldap-servers.x86_64 2.4.55-1.el8 @sofl
$ openssl version OpenSSL 1.1.1c FIPS 28 May 2019
I can't get any TLS connections to succeed, even if I try ldapsearch from the local (ldap server) host. The net error is cipher incompatibility; here's the output from a local ldapsearch:
ldap_url_parse_ext(ldaps://dev-pnldap1.net.isc.upenn.edu:636) ldap_create ldap_url_parse_ext(ldaps://dev-pnldap1.net.isc.upenn.edu:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP dev-pnldap1.net.isc.upenn.edu:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 130.91.185.254:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in error TLS: can't connect: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I had slapd running in foreground for that ldapsearch, here's the output: TLS trace: SSL_accept:before SSL initialization tls_read: want=5, got=5 0000: 16 03 01 01 26 ....& tls_read: want=294, got=294 0000: 01 00 01 22 03 03 cb 02 a0 2f ea 25 ad d7 c9 8e ..."...../.%.... 0010: f0 32 a4 1e a9 46 be af 48 9e e6 23 53 44 d2 f7 .2...F..H..#SD.. 0020: e0 9d 99 82 50 17 20 dd fa 96 00 76 ab ce a7 ec ....P. ....v.... 0030: 2b b9 e6 51 e0 77 78 2d ca 73 4c f4 eb 62 ed 62 +..Q.wx-.sL..b.b 0040: 97 3b d4 ea ea 16 ab 00 48 13 02 13 03 13 01 13 .;......H....... 0050: 04 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b c0 2f c0 ..,.0.......+./. 0060: ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 00 9d c0 ..#.'........... 0070: 9d 00 9c c0 9c 00 3d 00 3c 00 35 00 2f 00 9f cc ......=.<.5./... 0080: aa c0 9f 00 9e c0 9e 00 6b 00 67 00 39 00 33 00 ........k.g.9.3. 0090: ff 01 00 00 91 00 0b 00 04 03 00 01 02 00 0a 00 ................ 00a0: 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00 ..............#. 00b0: 00 00 16 00 00 00 17 00 00 00 0d 00 30 00 2e 04 ............0... 00c0: 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 ................ 00d0: 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 03 ................ 00e0: 01 02 01 03 02 02 02 04 02 05 02 06 02 00 2b 00 ..............+. 00f0: 05 04 03 04 03 03 00 2d 00 02 01 01 00 33 00 26 .......-.....3.& 0100: 00 24 00 1d 00 20 8a 31 32 cf fd 40 46 5d aa b6 .$... .12..@F].. 0110: 4b 31 fb a2 6d 47 92 f9 46 25 02 ce 62 7a cf 0b K1..mG..F%..bz.. 0120: 93 38 00 37 7f 2f .8.7./ TLS trace: SSL_accept:before SSL initialization tls_write: want=7, written=7 0000: 15 03 03 00 02 02 28 ......( TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in error TLS: can't accept: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher. 5fa072c7 connection_read(11): TLS accept failure error=-1 id=1000, closing
I've tried various combinations of TLSProtocolMin (3.3, 3.2, and not specifying at all) and the result is the same. I tried specifiying the ciphers currently supported by openssl in TLSCipherSuite, same erros.
Running some outside utilities give the same information. nmap: no ciphers returned for the rhel8 system: nmap --script ssl-enum-ciphers -p 636 dev-pnldap1.net.isc.upenn.edu -Pn
Starting Nmap 5.51 ( http://nmap.org ) at 2020-11-02 16:25 EST Nmap scan report for dev-pnldap1.net.isc.upenn.edu (130.91.185.254) Host is up (0.0014s latency). PORT STATE SERVICE 636/tcp open ldapssl
Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds rhel6 system: $ nmap --script ssl-enum-ciphers -p 636 dev-pnldap2.net.isc.upenn.edu -Pn
Starting Nmap 5.51 ( http://nmap.org ) at 2020-11-02 16:25 EST Nmap scan report for dev-pnldap2.net.isc.upenn.edu (130.91.185.136) Host is up (0.0019s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (14) | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
Thanks in advance for any suggestions or corrections.
Peter
--On Monday, November 2, 2020 9:32 PM +0000 "Heinemann, Peter G" phei@isc.upenn.edu wrote:
Good Day,
Working on moving from RHEL6 to RHEL8. Given the drop in support for openldap in RHEL8 I've installed the symas-openldap distros.
Hi Peter,
You haven't provided any configuration information, so that makes it difficult to assist. I would note that TLS works just fine for me with RHEL8 and the 2.4.55 packages.
First, with startTLS:
ldapsearch -LLL -ZZ -x -H ldap://127.0.0.1 No such object (32)
Second, with 636:
ldapsearch -LLL -x -H ldaps://127.0.0.1:636 No such object (32)
openssl version OpenSSL 1.1.1c FIPS 28 May 2019
nmap --script ssl-enum-ciphers -p 636 localhost -Pn Starting Nmap 7.70 ( https://nmap.org ) at 2020-11-02 23:51 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.00011s latency). Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (secp256r1) of lower strength than certificate key |_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Heinemann, Peter G -
Quanah Gibson-Mount