Bug 1368756

Summary: Cannot connect to LDAP server via TLS
Product: [Fedora] Fedora Reporter: Steven Haigh <netwiz>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: abokovoy, jhrozek, lslebodn, mzidek, netwiz, pbrezina, preichl, rharwood, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-21 06:33:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Steven Haigh 2016-08-21 05:27:50 UTC 
Description of problem:
When trying to use sssd-ldap against a CentOS 7.2 openldap server, all TLS connections fail. This seems to be a problem with cipher selection and what is available to the client.

Version-Release number of selected component (if applicable):
sssd.x86_64 1.13.4-4.fc24
sssd-ldap.x86_64 1.13.4-4.fc24

The Server offers the following:
Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits     Cipher Suite Name (RFC)
---------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 384   AESGCM    256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 384   AES       256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM    256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES       256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                
 x9d     AES256-GCM-SHA384                 RSA        AESGCM    256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 x3d     AES256-SHA256                     RSA        AES       256      TLS_RSA_WITH_AES_256_CBC_SHA256                    
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM    128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES       128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM    128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES       128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                
 x9c     AES128-GCM-SHA256                 RSA        AESGCM    128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x3c     AES128-SHA256                     RSA        AES       128      TLS_RSA_WITH_AES_128_CBC_SHA256

This breaks when trying to connect using STARTTLS on port 389, or port 636.

The OpenLDAP server shows the following debug:
STARTTLS: [sssd[be[default]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [TLS error -12286:Cannot communicate securely with peer: no common encryption algorithm(s).]

LDAPS: [sssd[be[default]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error.

The LDAP server is configured with:
olcTLSCipherSuite: HIGH:MEDIUM:!SSLv2:!SSLv3

I believe however this may be incorrect - as I would expect TLSv1, TLSv1.1 etc to be available - but it isn't.

That being said, I would still expect the Fedora 24 client to be able to connect to openldap using one of the ciphers passed above over TLSv1.2
Comment 1 Steven Haigh 2016-08-21 06:32:37 UTC 
I actually managed to fix this by noticing I had the olcTLSCipherSuite wrong for the RHEL version of OpenLDAP. As its linked to moznss, just about all the documentation you come across searching online is incorrect. Yay.

Finally, I came up with this LDIF that seems to correct the TLS issues:

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/cacert.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.1