Bug 1387868

Summary: openldap server doesn't support any strong cipher suites
Product: [Fedora] Fedora Reporter: Hristo Venev <hristo>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 25CC: mhonek, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openldap-2.4.44-7.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-02 20:22:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hristo Venev 2016-10-22 20:02:54 UTC 
Because of http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=592250ebfbcc7aa47f22bf1f8613fe20f33fd39a slapd will always disable all ciphers except some SHA1 and MD5 ones. All SHA1 and MD5 ciphers are disabled for some clients (ldapsearch for example) so using openldap is impossible.

Idea: Revert to openssl, as openssl supports setting a list of cipher suites, which is important for servers.
Comment 1 Matus Honek 2017-02-01 14:28:36 UTC 
Efforts towards OpenSSL are currently in progress, see bug 1400570 for more info.

I'm fixing the issue in NSS implementation by issuing following commits:
http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=22dbdbf78a40c4f6b65eb6aed0f35ff10032fd7a
http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=0cc5bf72542ebb0e26227e09fc1950dabda739bf
Comment 2 Fedora Update System 2017-02-01 14:52:01 UTC 
openldap-2.4.44-7.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e
Comment 3 Fedora Update System 2017-02-01 23:52:10 UTC 
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e
Comment 4 Fedora Update System 2017-02-02 20:22:22 UTC 
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.