Bug 676384
Summary: | OpenSSL / PAM & NSS_LDAP / SUDO fail TLS_CHECKPEER with Cipher AES256-SHA | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Jr Aquino <jr.aquino> | ||||||
Component: | openssl | Assignee: | Tomas Mraz <tmraz> | ||||||
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 5.8 | CC: | dpal, ebenes, jwest, mbarper, mpoole, mvadkert, nc, okelet, prc, rdassen, roysjosh, sgrubb, vargok | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | openssl-0.9.8e-18.el5 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2011-07-21 07:41:17 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 554476, 655069, 683349, 683368 | ||||||||
Attachments: |
|
Description
Jr Aquino
2011-02-09 17:10:48 UTC
The algorithms have to be added into the SSL_library_init() call. A workaround is to run OpenSSL_add_all_algorithms() before SSL_library_init() in the caller.
> The OpenSSL client tests also seem to inaccurately verify the cert as valid
> even though the other programs using the OpenSSL libraries fail.
This is exactly because the openssl commands always call OpenSSL_add_all_algorithms in addition to the SSL_library_init() call.
Created attachment 482750 [details]
Patch adding the SHA-2 algorithms to SSL_library_init
*** Bug 596058 has been marked as a duplicate of this bug. *** Created attachment 495771 [details]
Cert
My machines use centos 5.5 with openssl-0.9.8e-12.el5_4.6 and integrated with a LDAP server whit same configuration. The problem is the same reported here, specially when I try "getent group" "id" and "sudo -l". The LDAP reports the message "SSL peer reports incorrect Message Authentication Code". I have build the patch added in this bug and applied it in server and client but still have the same problem. I can't connect neither with mozldap ldapsearch. I use a self-signed certificate. I have attached the result for openss s_client... No idea which is the problem, ideas? You have to rebuild the nss_ldap with the patched openssl on a system. There is a problem rebuilding the nss_ldap because in that case I have to install it in the client machine. Is there a way to solve this problem working only in the server??? I can't control all the client machines integrated with the LDAP. Use a different certificate with SHA1 hash then. I have tried to set in /etc/openldap/ldap.conf the configuration parameter TLS_CIPHER_SUITE MEDIUM where the ciphers are # openssl ciphers -v 'MEDIUM' KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 In this case I should'n get a ssl error, but when I try a "getent group" I get this: [02/May/2011:11:26:49 +0200] conn=9 fd=64 slot=64 SSL connection from 192.168.55.101 to 192.168.55.105 [02/May/2011:11:26:49 +0200] conn=9 SSL 128-bit RC4 [02/May/2011:11:26:49 +0200] conn=9 op=-1 fd=64 closed - SSL peer reports incorrect Message Authentication Code. [02/May/2011:11:26:49 +0200] conn=10 fd=65 slot=65 SSL connection from 192.168.55.101 to 192.168.55.105 [02/May/2011:11:26:49 +0200] conn=10 SSL 128-bit RC4 I think my cert use SHA1 hash "Signature Algorithm: sha1WithRSAEncryption" and throught that i have this 3 ciphers with 256: # openssl ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 I'm a little lost about this, Can anyone throw some light on the issue? If your cert uses Signature Algorithm: sha1WithRSAEncryption, your problem is completely unrelated to this bug report. I'm sorry but this is not a place for support questions. Can you please open a regular support ticket at: http://www.redhat.com/support/ *** Bug 655069 has been marked as a duplicate of this bug. *** *** Bug 683368 has been marked as a duplicate of this bug. *** An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1010.html |