Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1592431

Summary: Cannot use SSL3 anymore
Product: [Fedora] Fedora Reporter: Matus Honek <mhonek>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: mhonek, pkis, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.46-3.fc28,openldap-2.4.46-8.fc29,openldap-2.4.46-8.fc30 openldap-2.4.46-3.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1592437 (view as bug list) Environment:
Last Closed: 2018-08-22 11:37:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1592437    

Description Matus Honek 2018-06-18 14:09:02 UTC 
Description of problem:
Cannot use SSL3, even after setting TLSProtocolMin to 3.0 and TLSCipherSuite to ALL:COMPLEMENTOFALL.

Version-Release number of selected component (if applicable):
openldap-2.4.46-1.fc28

Actual results:
Connection fails due to unsupported protocol.

Expected results:
Connection is successfully established over SSL3.

Additional info:
Given the downstream fix for OpenSSL itself [1], I guess SSL3 is disabled by default by OpenSSL, so the way OpenLDAP chooses enabled protocols based on TLS_PROTOCOL_MIN (i.e. only disabling protocols explicitly, not enabling them) [2] is not sufficient for actually having them enabled. We will probably need to do something like OpenSSL did in [1].

Additionally, we should fix possibly the same issue happening in the future for TLS1.x.

[1] https://src.fedoraproject.org/rpms/openssl/c/790567dc649ff1a5627cf9cce3dd78e0f6aa9305
[2] http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_o.c;h=92c708be0e7c41a48727f4e0242cc4c3c803436f;hb=1c9416493bd219b08d839cd9e93fc64daa89b752#l301
Comment 1 Matus Honek 2018-08-16 13:24:00 UTC 
https://src.fedoraproject.org/rpms/openldap/c/b52530eb5c6a4400026786a14c03648f1d220daf?branch=f28
https://src.fedoraproject.org/rpms/openldap/c/53b870b7dbc10d0b1955a217be656b221cfa01b5?branch=f29
https://src.fedoraproject.org/rpms/openldap/c/53b870b7dbc10d0b1955a217be656b221cfa01b5?branch=master
Comment 2 Fedora Update System 2018-08-16 13:27:36 UTC 
openldap-2.4.46-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c9a52df10
Comment 3 Patrik Kis 2018-08-17 15:27:30 UTC 
I've checked the latest openldap-2.4.46-3.fc28, and it looks like this issue is fixed. When SSL3 is explicitly configured it is supported, but it is not when it is not configured. Is this intentional?
Comment 4 Fedora Update System 2018-08-17 15:35:10 UTC 
openldap-2.4.46-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c9a52df10
Comment 5 Matus Honek 2018-08-17 15:58:35 UTC 
(In reply to Patrik Kis from comment #3)
> I've checked the latest openldap-2.4.46-3.fc28, and it looks like this issue
> is fixed. When SSL3 is explicitly configured it is supported, but it is not
> when it is not configured. Is this intentional?

Yes, this comes from the system-wide crypto policy of OpenSSL. The same way this will be broken in the future for other protocols as well, but I'd rather upstream to decide on what will be their approach - I'm about to file an upstream ticket, soon.
Comment 6 Patrik Kis 2018-08-20 14:51:50 UTC 
The issue seems to be not fixed for i686:

openldap-2.4.46-2.fc28.i686

# cat /etc/openldap/slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database config
rootdn          cn=Manager,cn=config
# password is 'x'
rootpw          x

database        bdb
suffix          dc=my-domain,dc=com
rootdn          "cn=Manager,dc=my-domain,dc=com"
# password is 'x'
rootpw          {SSHA}tOSmeQCcYIm1S9ujgpg2Km5rpUnR9dRB

directory       /var/lib/ldap/
TLSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCertificateFile      /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile   /etc/openldap/cacerts/server.key
TLSCACertificateFile    /etc/openldap/cacerts/ca.crt
TLSVerifyClient         allow
TLSProtocolMin 3.0
#
#
# openssl s_client -connect my-domain.com:636 -CAfile /etc/openldap/cacerts/ca.crt -ssl3
3080775424:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1407:SSL alert number 40
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 66 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1534768521
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
Comment 7 Patrik Kis 2018-08-20 15:09:25 UTC 
Ok, take it back, all works, the system was not upgraded when I tested.
Comment 8 Fedora Update System 2018-08-22 11:37:18 UTC 
openldap-2.4.46-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.