Bug 1582747
Summary: | DS only accepts RSA and Fortezza cipher families | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | mreynolds | |
Component: | 389-ds-base | Assignee: | mreynolds | |
Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> | |
Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | high | |||
Version: | 7.5 | CC: | aadhikar, aakkiang, mharmsen, msauton, nkinder, rmeggins | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | 389-ds-base-1.3.8.4-1.el7 | Doc Type: | Bug Fix | |
Doc Text: |
Directory Server now supports certificates with all ciphers supported by NSS
Due to a restriction in Directory Server, administrators could only use RSA and Fortezza ciphers. As a consequence, certificates created with a different cipher, such as ECC certificates, were not supported. This update removes this restriction. As a result, administrators can now use certificates with all ciphers supported by the underlying Network Security Services (NSS) database when configuring TLS in Directory Server.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1584066 (view as bug list) | Environment: | ||
Last Closed: | 2018-10-30 10:13:48 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1584066 |
Description
mreynolds
2018-05-26 17:39:45 UTC
Fixed upstream Asha, QE is asking for a basic reproducer on this. Can you provide the steps needed to generate ECC certificates? From the DS side the SSL initialization failed, and the server would not listen on the secure port. [25/May/2018:16:26:17.052973659 -0400] - WARN - Security Initialization - SSL alert: ConfigSecureServer: Server key/certificate is bad for cert DS Certificate of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8187 - security library: invalid arguments.) [25/May/2018:16:26:17.074510928 -0400] - ERR - Security Initialization - SSL failure: None of the cipher are valid With the current fix it just works. There is no special configuration needed on the DS side to use ECC certificates. The certutil command has options to create ECC certificates. To generate a ECC key/certificate use the options "-k ec -q <curve-name>". <curve-name> is the elliptic curve name that you are testing. "certutil -G --help" shows all the available curves. Here is an example for cert creation using curve nistp256: The file /etc/dirsrv/slapd-<DS-INSTANCE-NAME>/password.txt is owned by directory server user (example: dirsrv) and it has nss database password. # cd /etc/dirsrv/slapd-<DS-INSTANCE-NAME>/ # openssl rand -out noise.bin 2048 # echo -e "0\n1\n2\n3\n9\ny\n" | \ certutil -S -x \ -d /etc/dirsrv/slapd-<DS-INSTANCE-NAME> \ -f /etc/dirsrv/slapd-<DS-INSTANCE-NAME>/password.txt \ -z noise.bin \ -n "DS Certificate" \ -s "CN=$HOSTNAME" \ -k ec \ -q nistp256 \ -Z SHA256 \ -t "CT,C,C" \ -m $RANDOM\ -1 # certutil -L -d /etc/dirsrv/slapd-<DS-INSTANCE-NAME>/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI DS Certificate CTu,Cu,Cu Build tested: 389-ds-base-1.3.8.4-3.el7.x86_64 TLS is initialized: [11/Jul/2018:08:22:08.157828878 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 List of certificate in the DB: [root@qeos-54 slapd-DS]# certutil -K -d /etc/dirsrv/slapd-DS/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> ec 4ad944d1958e6625a7d82df4db5eaa50700876e0 NSS Certificate DB:Server-Cert < 1> ec 76af609b3ec710364b2ae50d8183ad5bb126256a NSS Certificate DB:CA certificate [root@qeos-54 slapd-DS]# ss -ntpl | grep ns-slapd LISTEN 0 128 :::636 :::* users:(("ns-slapd",pid=30535,fd=8)) LISTEN 0 128 :::389 :::* users:(("ns-slapd",pid=30535,fd=7)) The server is running, also able to bind on the LDAPS port. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3127 |