Bug 1309458

Summary: Satellite is trying to make and sslv3 connection but the ldap server only supports tls.
Product: Red Hat Satellite Reporter: Fotios Tsiadimos <ftsiadim>
Component: OtherAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Katello QA List <katello-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.1.6CC: bkearney, dmitri
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-03 18:56:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Fotios Tsiadimos 2016-02-17 21:30:18 UTC 
Description of problem:

Satellite is trying to make and sslv3 connection but the ldap server only supports tls.  Is there a way to force the LDAPS connection to use TLS 1.2 instead of SSLv3?


Version-Release number of selected component (if applicable):
Satellite 6.1.6
Comment 1 Bryan Kearney 2016-07-26 19:04:38 UTC 
Moving 6.2 bugs out to sat-backlog.
Comment 2 Dmitri Dolguikh 2017-03-30 13:19:38 UTC 
I don't think the issue is in ssl attempting to use SSL instead of TLS.

When "simple_tls" ssl configureation is used in ldap-fluff (which is what Forman uses) it relies on default SSLContext of OpenSSL: SSLv23, wide range of ciphers, no peer verification. With such defaults openssl will use tls if the connection peer requests it (unless openssl is ancient and doesn't have support for tls, which I don't think this is the issue here).

The issue is most certainly due to openssl not recognizing peer's CA. I suspect that openssl is either configured with a non-default location (via SSL_CERT_DIR environment variable), /etc/ssl/certs directory is used instead of /etc/pki (see https://bugzilla.redhat.com/show_bug.cgi?id=1053882), or some other issue that prevents OpenSSL from detecting a new CA cert.

Seeing that the customer issue is quite old, and that the fix in a related KB (https://access.redhat.com/solutions/1593413) appears to work for several people, I'd suggest to close this BZ.
Comment 3 Bryan Kearney 2017-04-03 18:56:45 UTC 
I am closing this out per comment 2. If you believe this was incorrect, please feel free to re-open with additional inforamtion.