Description of problem:
When trying to use sssd-ldap against a CentOS 7.2 openldap server, all TLS connections fail. This seems to be a problem with cipher selection and what is available to the client.
Version-Release number of selected component (if applicable):
sssd.x86_64 1.13.4-4.fc24
sssd-ldap.x86_64 1.13.4-4.fc24
The Server offers the following:
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
---------------------------------------------------------------------------------------------------------------------------
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 384 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc028 ECDHE-RSA-AES256-SHA384 ECDH 384 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
This breaks when trying to connect using STARTTLS on port 389, or port 636.
The OpenLDAP server shows the following debug:
STARTTLS: [sssd[be[default]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [TLS error -12286:Cannot communicate securely with peer: no common encryption algorithm(s).]
LDAPS: [sssd[be[default]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error.
The LDAP server is configured with:
olcTLSCipherSuite: HIGH:MEDIUM:!SSLv2:!SSLv3
I believe however this may be incorrect - as I would expect TLSv1, TLSv1.1 etc to be available - but it isn't.
That being said, I would still expect the Fedora 24 client to be able to connect to openldap using one of the ciphers passed above over TLSv1.2
I actually managed to fix this by noticing I had the olcTLSCipherSuite wrong for the RHEL version of OpenLDAP. As its linked to moznss, just about all the documentation you come across searching online is incorrect. Yay.
Finally, I came up with this LDIF that seems to correct the TLS issues:
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/cacert.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.1