Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1592431
Summary: | Cannot use SSL3 anymore | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matus Honek <mhonek> | |
Component: | openldap | Assignee: | Matus Honek <mhonek> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 28 | CC: | mhonek, pkis, rmeggins | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | openldap-2.4.46-3.fc28,openldap-2.4.46-8.fc29,openldap-2.4.46-8.fc30 openldap-2.4.46-3.fc28 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1592437 (view as bug list) | Environment: | ||
Last Closed: | 2018-08-22 11:37:18 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1592437 |
Description
Matus Honek
2018-06-18 14:09:02 UTC
https://src.fedoraproject.org/rpms/openldap/c/b52530eb5c6a4400026786a14c03648f1d220daf?branch=f28 https://src.fedoraproject.org/rpms/openldap/c/53b870b7dbc10d0b1955a217be656b221cfa01b5?branch=f29 https://src.fedoraproject.org/rpms/openldap/c/53b870b7dbc10d0b1955a217be656b221cfa01b5?branch=master openldap-2.4.46-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c9a52df10 I've checked the latest openldap-2.4.46-3.fc28, and it looks like this issue is fixed. When SSL3 is explicitly configured it is supported, but it is not when it is not configured. Is this intentional? openldap-2.4.46-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c9a52df10 (In reply to Patrik Kis from comment #3) > I've checked the latest openldap-2.4.46-3.fc28, and it looks like this issue > is fixed. When SSL3 is explicitly configured it is supported, but it is not > when it is not configured. Is this intentional? Yes, this comes from the system-wide crypto policy of OpenSSL. The same way this will be broken in the future for other protocols as well, but I'd rather upstream to decide on what will be their approach - I'm about to file an upstream ticket, soon. The issue seems to be not fixed for i686: openldap-2.4.46-2.fc28.i686 # cat /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database config rootdn cn=Manager,cn=config # password is 'x' rootpw x database bdb suffix dc=my-domain,dc=com rootdn "cn=Manager,dc=my-domain,dc=com" # password is 'x' rootpw {SSHA}tOSmeQCcYIm1S9ujgpg2Km5rpUnR9dRB directory /var/lib/ldap/ TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCACertificateFile /etc/openldap/cacerts/ca.crt TLSVerifyClient allow TLSProtocolMin 3.0 # # # openssl s_client -connect my-domain.com:636 -CAfile /etc/openldap/cacerts/ca.crt -ssl3 3080775424:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1407:SSL alert number 40 CONNECTED(00000003) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 66 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1534768521 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- Ok, take it back, all works, the system was not upgraded when I tested. openldap-2.4.46-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |