Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1309458

Summary: Satellite is trying to make and sslv3 connection but the ldap server only supports tls.
Product: Red Hat Satellite Reporter: Fotios Tsiadimos <ftsiadim>
Component: OtherAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Katello QA List <katello-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.1.6CC: bkearney, dmitri
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-03 18:56:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fotios Tsiadimos 2016-02-17 21:30:18 UTC 
Description of problem:

Satellite is trying to make and sslv3 connection but the ldap server only supports tls.  Is there a way to force the LDAPS connection to use TLS 1.2 instead of SSLv3?


Version-Release number of selected component (if applicable):
Satellite 6.1.6
Comment 1 Bryan Kearney 2016-07-26 19:04:38 UTC 
Moving 6.2 bugs out to sat-backlog.
Comment 2 Dmitri Dolguikh 2017-03-30 13:19:38 UTC 
I don't think the issue is in ssl attempting to use SSL instead of TLS.

When "simple_tls" ssl configureation is used in ldap-fluff (which is what Forman uses) it relies on default SSLContext of OpenSSL: SSLv23, wide range of ciphers, no peer verification. With such defaults openssl will use tls if the connection peer requests it (unless openssl is ancient and doesn't have support for tls, which I don't think this is the issue here).

The issue is most certainly due to openssl not recognizing peer's CA. I suspect that openssl is either configured with a non-default location (via SSL_CERT_DIR environment variable), /etc/ssl/certs directory is used instead of /etc/pki (see https://bugzilla.redhat.com/show_bug.cgi?id=1053882), or some other issue that prevents OpenSSL from detecting a new CA cert.

Seeing that the customer issue is quite old, and that the fix in a related KB (https://access.redhat.com/solutions/1593413) appears to work for several people, I'd suggest to close this BZ.
Comment 3 Bryan Kearney 2017-04-03 18:56:45 UTC 
I am closing this out per comment 2. If you believe this was incorrect, please feel free to re-open with additional inforamtion.