Bug 669446
Summary: | Default encryption strength dropped in switch to using NSS | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tyson Whitehead <twhitehead> | |
Component: | openldap | Assignee: | Jan Vcelak <jvcelak> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | high | Docs Contact: | ||
Priority: | low | |||
Version: | 14 | CC: | jvcelak, rmeggins, tsmetana | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | openldap-2.4.23-10.fc14 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 669845 (view as bug list) | Environment: | ||
Last Closed: | 2011-09-25 03:47:13 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 669845 |
Description
Tyson Whitehead
2011-01-13 17:29:18 UTC
So if openldap made the default cipher suite list TLS_CIPHER_SUITE HIGH, would that solve the problem, and make openldap with moznss work exactly like openldap with openssl? That would likely be better than the default of only use medium and low grade cipher suites. It still wouldn't be technically equivalent though as then the client would only use high grade cipher suites. I had a look at the OpenSSL LDAP library code (tls_m.c) and it looks like the best you can do without editing the code is to make ALL the default. This gives a client list of 00 00 35 - TLS1_CK_RSA_WITH_AES_256_SHA 00 00 04 - SSL3_CK_RSA_RC4_128_MD5 00 00 05 - SSL3_CK_RSA_RC4_128_SHA 00 00 2f - TLS1_CK_RSA_WITH_AES_128_SHA 00 00 0a - SSL3_CK_RSA_DES_192_CBC3_SHA 00 00 09 - SSL3_CK_RSA_DES_64_CBC_SHA 00 00 64 - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 00 00 62 - TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 00 00 03 - SSL3_CK_RSA_RC4_40_MD5 00 00 06 - SSL3_CK_RSA_RC2_40_MD5 00 00 ff - SSL3_CK_SCSV which, while not as extensive as the OpenSSL one, contains a reasonable subset of it and prefers the strongest suites. Cheers! -Tyson PS: From looking at the code, it seems this is not a limitation of NSS but rather the OpenLDAP NSS interface (tls_m.c), which uses a hard coded list, compared to the OpenSSL interface (tls_o.c), which queries the library. (In reply to comment #2) > That would likely be better than the default of only use medium and low grade > cipher suites. It still wouldn't be technically equivalent though as then the > client would only use high grade cipher suites. > > I had a look at the OpenSSL LDAP library code (tls_m.c) and it looks like the > best you can do without editing the code is to make ALL the default. This > gives a client list of > > 00 00 35 - TLS1_CK_RSA_WITH_AES_256_SHA > 00 00 04 - SSL3_CK_RSA_RC4_128_MD5 > 00 00 05 - SSL3_CK_RSA_RC4_128_SHA > 00 00 2f - TLS1_CK_RSA_WITH_AES_128_SHA > 00 00 0a - SSL3_CK_RSA_DES_192_CBC3_SHA > 00 00 09 - SSL3_CK_RSA_DES_64_CBC_SHA > 00 00 64 - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA > 00 00 62 - TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA > 00 00 03 - SSL3_CK_RSA_RC4_40_MD5 > 00 00 06 - SSL3_CK_RSA_RC2_40_MD5 > 00 00 ff - SSL3_CK_SCSV I've made two changes: 1) if no cipher suite is specified, set it to "DEFAULT" 2) add more cipher suites to the list of default cipher suites When I do this, I get the list specified above when running your commands. > which, while not as extensive as the OpenSSL one, contains a reasonable subset > of it and prefers the strongest suites. > > Cheers! -Tyson > > PS: From looking at the code, it seems this is not a limitation of NSS but > rather the OpenLDAP NSS interface (tls_m.c), which uses a hard coded list, > compared to the OpenSSL interface (tls_o.c), which queries the library. We tried to keep the openldap tls settings exactly the same. For the cipher suite specification, openldap uses the strings used internally by openssl - that is, it just passes the string directly to SSL_CTX_set_cipher_list(). NSS doesn't support those strings, so we have to manually convert the cipher spec strings. We chose the most common and required cipher suites. We can add more if needed. ITS and patch submitted upstream: http://www.openldap.org/its/index.cgi?findid=6790 Fixed in openldap-2.4.23-6.fc14 openldap-2.4.23-6.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/openldap-2.4.23-6.fc14 openldap-2.4.23-6.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update openldap'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/openldap-2.4.23-6.fc14 openldap-2.4.23-7.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/openldap-2.4.23-7.fc14 openldap-2.4.23-8.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/openldap-2.4.23-8.fc14 Package openldap-2.4.21-12.fc13: * should fix your issue, * was pushed to the Fedora 13 updates-testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openldap-2.4.21-12.fc13' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/openldap-2.4.21-12.fc13 then log in and leave karma (feedback). Package openldap-2.4.23-9.fc14: * should fix your issue, * was pushed to the Fedora 14 updates-testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openldap-2.4.23-9.fc14' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/openldap-2.4.23-9.fc14 then log in and leave karma (feedback). openldap-2.4.23-10.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/openldap-2.4.23-10.fc14 openldap-2.4.23-10.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |