I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6) when attempting to disable SSLv3. I have compiled the servers with the --with-tls=openssl option and communication appears to be working well between servers to matter what I have for SSL Protocol. My problems are with the clients.
For client configuration I install the openldap-clients package via yum install. Everything works as expected with this setting on the server side:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2
as soon as I modify the +SSLv3 to -SSLv3 to this:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
the client no longer works. I have tried just about everything I can think of. I /can /get ldapsearch to work properly when I compile the openldap source on the client but sssd / authentication on the Red Hat side still fails. Here is the error message I am getting:
54481b75 slap_listener_activate(8): 54481b75 >>> slap_listener(ldaps://blah) 54481b75 connection_get(38): got connid=1009 54481b75 connection_read(38): checking for input on id=1009 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client hello C TLS trace: SSL_accept:error in SSLv3 read client hello C TLS: can't accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher. 54481b75 connection_read(38): TLS accept failure error=-1 id=1009, closing 54481b75 connection_close: conn=1009 sd=38
I am assuming this has something to do with RHEL clients linking to MozNSS libraries instead of openssl but can not be sure of that. Again, to be clear - I do not change anything but the olcTLSCipherSuite entry so I do not believe it is a certificate issue.
Is there a solution to LDAP auth for RHEL clients with only allowind TLSv1.2? I will gladly compile from source or use the LTB Project rpms.
Thanks in advance,
On Wed, 22 Oct 2014, Peter Boguszewski wrote:
I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6) when attempting to disable SSLv3. I have compiled the servers with the --with-tls=openssl option and communication appears to be working well between servers to matter what I have for SSL Protocol. My problems are with the clients.
For client configuration I install the openldap-clients package via yum install. Everything works as expected with this setting on the server side:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2
as soon as I modify the +SSLv3 to -SSLv3 to this:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
the client no longer works.
Cipher suites are not protocol versions. To configure slapd to only negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented in slapd-config(5).
If you want to understand what what your cipher suite specification was doing then you should
1) read the ciphers(1) manpage (or maybe the CIPHERS section of the openssl(1) manpage), and
2) test them with the "openssl ciphers -v" ciphers command, ala openssl ciphers -v HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
You'll quickly find out that "TLSv1.1" isn't a valid specifier, nor is "TLSv1.0", and ciphers covered by "SSLv3" are also used by TLS. Your last request therefore disabled all the pre-TLSv1.2 ciphers.
To require TLSv1.0 or higher with 128bit and longer ciphers you probably just want: olcTLSProtocolMin: 3.1 olcTLSCipherSuite: HIGH
...
Is there a solution to LDAP auth for RHEL clients with only allowind TLSv1.2? I will gladly compile from source or use the LTB Project rpms.
It seems your client systems don't actually support the TLSv1.2 ciphers. You'll need to fix that by building against a crypto library which actually supports them before you can try to require it.
Philip
Thanks for the quick response. I was also messing with the olcTLSProtocolMin settings and seeing similar issues (which are now verified by your answer). It appears as though RHEL 6.x does not support TLS1.1 nor TLS1.2 with the yum installed packages.
Pete
On 10/22/2014 4:29 PM, Philip Guenther wrote:
On Wed, 22 Oct 2014, Peter Boguszewski wrote:
I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6) when attempting to disable SSLv3. I have compiled the servers with the --with-tls=openssl option and communication appears to be working well between servers to matter what I have for SSL Protocol. My problems are with the clients.
For client configuration I install the openldap-clients package via yum install. Everything works as expected with this setting on the server side:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2
as soon as I modify the +SSLv3 to -SSLv3 to this:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
the client no longer works.
Cipher suites are not protocol versions. To configure slapd to only negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented in slapd-config(5).
If you want to understand what what your cipher suite specification was doing then you should
read the ciphers(1) manpage (or maybe the CIPHERS section of the openssl(1) manpage), and
test them with the "openssl ciphers -v" ciphers command, ala openssl ciphers -v HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
You'll quickly find out that "TLSv1.1" isn't a valid specifier, nor is "TLSv1.0", and ciphers covered by "SSLv3" are also used by TLS. Your last request therefore disabled all the pre-TLSv1.2 ciphers.
To require TLSv1.0 or higher with 128bit and longer ciphers you probably just want: olcTLSProtocolMin: 3.1 olcTLSCipherSuite: HIGH
...
Is there a solution to LDAP auth for RHEL clients with only allowind TLSv1.2? I will gladly compile from source or use the LTB Project rpms.
It seems your client systems don't actually support the TLSv1.2 ciphers. You'll need to fix that by building against a crypto library which actually supports them before you can try to require it.
Philip
--On Wednesday, October 22, 2014 5:54 PM -0500 Peter Boguszewski pboguszewski@library.wisc.edu wrote:
Thanks for the quick response. I was also messing with the olcTLSProtocolMin settings and seeing similar issues (which are now verified by your answer). It appears as though RHEL 6.x does not support TLS1.1 nor TLS1.2 with the yum installed packages.
RHEL's shipped openldap packages use the MozNSS crypo library. Any issues with those packages need to be filed with RHEL rather than the OpenLDAP project, as it is RHEL's responsibility to maintain that support. Sane people link to OpenSSL.
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
I opened a case with Red Hat support. I will see how far that goes. Will continue to compile from source on the server side. Thanks, Pete -- ---- Peter Boguszewski Manger of Library Systems UW - Madison - Library Technology Group Wednesday, 22 October 2014, 05:08PM -05:00 from Quanah Gibson-Mount quanah@zimbra.com: --On Wednesday, October 22, 2014 5:54 PM -0500 Peter Boguszewski < pboguszewski@library.wisc.edu > wrote:
Thanks for the quick response. I was also messing with the olcTLSProtocolMin settings and seeing similar issues (which are now verified by your answer). It appears as though RHEL 6.x does not support TLS1.1 nor TLS1.2 with the yum installed packages.
RHEL's shipped openldap packages use the MozNSS crypo library. Any issues with those packages need to be filed with RHEL rather than the OpenLDAP project, as it is RHEL's responsibility to maintain that support. Sane people link to OpenSSL. --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
At Wed, 22 Oct 2014 16:54:24 -0500, Peter Boguszewski wrote:
Thanks for the quick response. I was also messing with the olcTLSProtocolMin settings and seeing similar issues (which are now verified by your answer). It appears as though RHEL 6.x does not support TLS1.1 nor TLS1.2 with the yum installed packages.
OpenLDAP in RHEL 6.x is version 2.4.23 that has a bug, ITS#7645. (See http://www.openldap.org/its/index.cgi?findid=7645)
You must set olcTLSProtocolMin to 769 instead of 3.1 for OpenLDAP 2.4.35 and older.
Cipher suites are not protocol versions. To configure slapd to only negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented in slapd-config(5).
Date: Thu, 23 Oct 2014 11:59:10 +0900 From: fumiyas@osstech.jp To: openldap-technical@openldap.org Subject: Re: Redhat LDAP Client Issues when disabling SSLv3
At Wed, 22 Oct 2014 16:54:24 -0500, Peter Boguszewski wrote:
Thanks for the quick response. I was also messing with the olcTLSProtocolMin settings and seeing similar issues (which are now verified by your answer). It appears as though RHEL 6.x does not support TLS1.1 nor TLS1.2 with the yum installed packages.
OpenLDAP in RHEL 6.x is version 2.4.23 that has a bug, ITS#7645. (See http://www.openldap.org/its/index.cgi?findid=7645)
You must set olcTLSProtocolMin to 769 instead of 3.1 for OpenLDAP 2.4.35 and older.
Cipher suites are not protocol versions. To configure slapd to only negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented in slapd-config(5).
-- -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/ -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA
Thank you Satoh.
I can confirm setting olcTLSProtocolMin 3.1 disabled SSLv3 in the RHEL openldap-2.4.39-8 package.
However, setting olcTLSProtocolMin 769 on openldap-2.4.23-34.el6_5.1 still allows a successful SSlv3 handshake. Also, olcTLSProtocolMin is not even documented in the slapd.conf man pages for this version.
From: mlstarling31@hotmail.com To: fumiyas@osstech.jp; openldap-technical@openldap.org Subject: RE: Redhat LDAP Client Issues when disabling SSLv3 Date: Thu, 23 Oct 2014 10:52:22 -0400
Date: Thu, 23 Oct 2014 11:59:10 +0900 From: fumiyas@osstech.jp To: openldap-technical@openldap.org Subject: Re: Redhat LDAP Client Issues when disabling SSLv3
At Wed, 22 Oct 2014 16:54:24 -0500, Peter Boguszewski wrote:
Thanks for the quick response. I was also messing with the olcTLSProtocolMin settings and seeing similar issues (which are now verified by your answer). It appears as though RHEL 6.x does not support TLS1.1 nor TLS1.2 with the yum installed packages.
OpenLDAP in RHEL 6.x is version 2.4.23 that has a bug, ITS#7645. (See http://www.openldap.org/its/index.cgi?findid=7645)
You must set olcTLSProtocolMin to 769 instead of 3.1 for OpenLDAP 2.4.35 and older.
Cipher suites are not protocol versions. To configure slapd to only negotiate TLSv1.0 and higher use "olcTLSProtocolMin: 3.1", as documented in slapd-config(5).
-- -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/ -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA
Thank you Satoh.
I can confirm setting olcTLSProtocolMin 3.1 disabled SSLv3 in the RHEL openldap-2.4.39-8 package.
However,
setting olcTLSProtocolMin 769 on openldap-2.4.23-34.el6_5.1 still allows a successful SSlv3 handshake. Also, olcTLSProtocolMin is not even
documented in the slapd.conf man pages for this version.
I suspect I'm hitting the issue of RHEL openldap being linked against moz_nss and not openssl, therefore olcTLSProtocolMin is ignored in this version.
Peter Boguszewski pboguszewski@library.wisc.edu schrieb am 22.10.2014 um
23:08 in Nachricht 54481CBA.2080400@library.wisc.edu:
I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6) when attempting to disable SSLv3. I have compiled the servers with the --with-tls=openssl option and communication appears to be working well between servers to matter what I have for SSL Protocol. My problems are with the clients.
For client configuration I install the openldap-clients package via yum install. Everything works as expected with this setting on the server side:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2
as soon as I modify the +SSLv3 to -SSLv3 to this:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
the client no longer works. I have tried just about everything I can
Some (older) openssl versions have this feature:
List ciphers with a complete description of protocol version (SSLv2 or SSLv3; the latter includes TLS)
So you may disable TLS when trying to disable SSLv3, I guess.
Regards, Ulrich
openldap-technical@openldap.org
-
Michael -
Peter Boguszewski -
Philip Guenther -
Quanah Gibson-Mount -
SATOH Fumiyasu -
Ulrich Windl