+++ This bug was initially created as a clone of Bug #1091316 +++
+++ This bug was initially created as a clone of Bug #1090966 +++
+++ This bug was initially created as a clone of Bug #1044401 +++
Description of problem:
LDAPS connection fails with error: "IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group"
Version-Release number of selected component (if applicable):
openssl-1.0.1e-15.el6.x86_64
openssl-1.0.1e-16.el6_5.x86_64
How reproducible:
#!/usr/bin/perl
sub ldap_query {
use Net::LDAPS;
my $conn = Net::LDAPS->new('ldap.example.com',
version => 3,
port => 636,
capath => '/etc/openldap/cacerts/',
raw => qr/^$/
) || die "$@\n";
$conn->disconnect();
return 0;
}
my $test = ldap_query();
Steps to Reproduce:
1. Run above script against suitable ldap-server
2.
3.
Actual results:
IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group
Expected results:
Empty output
Additional info:
Downgrade to openssl-1.0.0-27.el6_4.2.x86_64 solves the issue.
[...]
--- Additional comment from Tomas Mraz on 2014-04-24 12:55:23 GMT ---
The SSL_version setting is probably no problem. However the ALL cipher list string really should not be used. Either the cipher list should not be set at all or the 'DEFAULT' string could be used.
[...]
--- Additional comment from Petr Pisar on 2014-04-25 07:08:43 GMT ---
How to test:
(1) Start an SSL server.
(2) Run a simple Net::LDAPS client without `ciphers' option against the server.
(3) Compare list of ciphers advertised by the client to the server against DEFAULT OpenSSL list (see `openssl ciphers DEFAULT' command output).
Before:
The lists differ.
After:
The lists are identical.
[...]
--- Additional comment from Petr Pisar on 2014-08-06 16:08:46 GMT ---
See bug #1090966 for testing instructions.
However please note that current IO::Socket:SSL Perl module (perl-IO-Socket-SSL-1.94-3.el7.noarch) does not respect OpenSSL defaults and overrides it:
SSL_cipher_list
If this option is set the cipher list for the connection will be set
to the given value, e.g. something like 'ALL:!LOW:!EXP:!ADH'. Look
into the OpenSSL documentation
(<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>) for
more details.
If this option is not set 'ALL:!LOW' will be used. To use OpenSSL
builtin default (whatever this is) set it to ''.
This undermines this perl-Net-LDAP fix and causes sneaking some ciphers into Net::LDAP application:
--- default.sorted 2014-08-06 16:36:58.176000000 +0200
+++ fixed.sorted 2014-08-06 16:35:23.573000000 +0200
@@ -1,3 +1,18 @@
+ADH-AES128-GCM-SHA256
+ADH-AES128-SHA
+ADH-AES128-SHA256
+ADH-AES256-GCM-SHA384
+ADH-AES256-SHA
+ADH-AES256-SHA256
+ADH-CAMELLIA128-SHA
+ADH-CAMELLIA256-SHA
+ADH-DES-CBC3-SHA
+ADH-RC4-MD5
+ADH-SEED-SHA
+AECDH-AES128-SHA
+AECDH-AES256-SHA
+AECDH-DES-CBC3-SHA
+AECDH-RC4-SHA
AES128-GCM-SHA256
AES128-SHA
AES128-SHA256
@@ -59,17 +74,15 @@
ECDH-RSA-RC4-SHA
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
+EXP-ADH-DES-CBC-SHA
+EXP-ADH-RC4-MD5
+EXP-DES-CBC-SHA
+EXP-EDH-DSS-DES-CBC-SHA
+EXP-EDH-RSA-DES-CBC-SHA
+EXP-RC2-CBC-MD5
+EXP-RC4-MD5
IDEA-CBC-SHA
-KRB5-DES-CBC3-MD5
-KRB5-DES-CBC3-SHA
-KRB5-IDEA-CBC-MD5
-KRB5-IDEA-CBC-SHA
-KRB5-RC4-MD5
-KRB5-RC4-SHA
- -3DES-EDE-CBC-SHA
-PSK-AES128-CBC-SHA
-PSK-AES256-CBC-SHA
-PSK-RC4-SHA
RC4-MD5
RC4-SHA
SEED-SHA
The erroneous cipher-suites are the ADH and AECDH and EXP ones. I will report bug against perl-IO-Socket-SSL.
(The KRB5 and PSK ones are not present in the Net::LDAP client because no Kerberos, nor PSK TLS authentication has been available when running the client. These misses are fine.)
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-2201.html