Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1592431 - Cannot use SSL3 anymore
Summary: Cannot use SSL3 anymore
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Matus Honek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1592437
TreeView+ depends on / blocked
 
Reported: 2018-06-18 14:09 UTC by Matus Honek
Modified: 2018-08-22 11:37 UTC (History)
3 users (show)

Fixed In Version: openldap-2.4.46-3.fc28,openldap-2.4.46-8.fc29,openldap-2.4.46-8.fc30 openldap-2.4.46-3.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1592437 (view as bug list)
Environment:
Last Closed: 2018-08-22 11:37:18 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenLDAP ITS 8904 0 None None None 2018-08-21 15:24:39 UTC

Description Matus Honek 2018-06-18 14:09:02 UTC 
Description of problem:
Cannot use SSL3, even after setting TLSProtocolMin to 3.0 and TLSCipherSuite to ALL:COMPLEMENTOFALL.

Version-Release number of selected component (if applicable):
openldap-2.4.46-1.fc28

Actual results:
Connection fails due to unsupported protocol.

Expected results:
Connection is successfully established over SSL3.

Additional info:
Given the downstream fix for OpenSSL itself [1], I guess SSL3 is disabled by default by OpenSSL, so the way OpenLDAP chooses enabled protocols based on TLS_PROTOCOL_MIN (i.e. only disabling protocols explicitly, not enabling them) [2] is not sufficient for actually having them enabled. We will probably need to do something like OpenSSL did in [1].

Additionally, we should fix possibly the same issue happening in the future for TLS1.x.

[1] https://src.fedoraproject.org/rpms/openssl/c/790567dc649ff1a5627cf9cce3dd78e0f6aa9305
[2] http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_o.c;h=92c708be0e7c41a48727f4e0242cc4c3c803436f;hb=1c9416493bd219b08d839cd9e93fc64daa89b752#l301
Comment 1 Matus Honek 2018-08-16 13:24:00 UTC 
https://src.fedoraproject.org/rpms/openldap/c/b52530eb5c6a4400026786a14c03648f1d220daf?branch=f28
https://src.fedoraproject.org/rpms/openldap/c/53b870b7dbc10d0b1955a217be656b221cfa01b5?branch=f29
https://src.fedoraproject.org/rpms/openldap/c/53b870b7dbc10d0b1955a217be656b221cfa01b5?branch=master
Comment 2 Fedora Update System 2018-08-16 13:27:36 UTC 
openldap-2.4.46-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c9a52df10
Comment 3 Patrik Kis 2018-08-17 15:27:30 UTC 
I've checked the latest openldap-2.4.46-3.fc28, and it looks like this issue is fixed. When SSL3 is explicitly configured it is supported, but it is not when it is not configured. Is this intentional?
Comment 4 Fedora Update System 2018-08-17 15:35:10 UTC 
openldap-2.4.46-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c9a52df10
Comment 5 Matus Honek 2018-08-17 15:58:35 UTC 
(In reply to Patrik Kis from comment #3)
> I've checked the latest openldap-2.4.46-3.fc28, and it looks like this issue
> is fixed. When SSL3 is explicitly configured it is supported, but it is not
> when it is not configured. Is this intentional?

Yes, this comes from the system-wide crypto policy of OpenSSL. The same way this will be broken in the future for other protocols as well, but I'd rather upstream to decide on what will be their approach - I'm about to file an upstream ticket, soon.
Comment 6 Patrik Kis 2018-08-20 14:51:50 UTC 
The issue seems to be not fixed for i686:

openldap-2.4.46-2.fc28.i686

# cat /etc/openldap/slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database config
rootdn          cn=Manager,cn=config
# password is 'x'
rootpw          x

database        bdb
suffix          dc=my-domain,dc=com
rootdn          "cn=Manager,dc=my-domain,dc=com"
# password is 'x'
rootpw          {SSHA}tOSmeQCcYIm1S9ujgpg2Km5rpUnR9dRB

directory       /var/lib/ldap/
TLSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCertificateFile      /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile   /etc/openldap/cacerts/server.key
TLSCACertificateFile    /etc/openldap/cacerts/ca.crt
TLSVerifyClient         allow
TLSProtocolMin 3.0
#
#
# openssl s_client -connect my-domain.com:636 -CAfile /etc/openldap/cacerts/ca.crt -ssl3
3080775424:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1407:SSL alert number 40
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 66 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1534768521
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
Comment 7 Patrik Kis 2018-08-20 15:09:25 UTC 
Ok, take it back, all works, the system was not upgraded when I tested.
Comment 8 Fedora Update System 2018-08-22 11:37:18 UTC 
openldap-2.4.46-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.