Bug 1215010 - NSS-based applications have confusing behavior with regards to Microsoft Windows 2012R2 with MS14-066 update
Summary: NSS-based applications have confusing behavior with regards to Microsoft Wind...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Elio Maldonado Batiz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1212286
Blocks: 1215008
TreeView+ depends on / blocked
 
Reported: 2015-04-24 06:18 UTC by Martin Kosek
Modified: 2015-07-23 11:20 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Following a prior security update for Windows Server 2012 R2, multiple NSS-enabled applications, including ldapsearch and python-ldap, failed Transport Layer Security (TLS) negotiation on this system and did not work properly. This update modifies the signature algorithms sent as a part of the TLS 1.2 handshake so that the affected applications work as expected with Windows Server 2012 R2.
Clone Of: 1212286
Environment:
Last Closed: 2015-06-12 09:44:33 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1155922 0 None None None Never

Description Martin Kosek 2015-04-24 06:18:28 UTC 
Description of problem:
When Windows Server 2012R2 (possibly others too) is updated with MS14-066 security update (https://support.microsoft.com/en-us/kb/2992611), NSS-enabled applications stop working with existing defaults.

In particular:

1. ldapsearch fails TLS negotiation
2. python-ldap fails TLS negotiation

on the other hand, openssl-based tools work.

An attempt to set higher TLS level results in inconsistency:
[root@rh7-1 ~]# LDAPTLS_PROTOCOL_MIN=3.3 ldapsearch -v -Z  -H ldap://wdc.adx.test -D cn=winsync,cn=Users,dc=adx,dc=test -w w1nsynC1 -b cn=Users,dc=adx,dc=test
ldap_initialize( ldap://wdc.adx.test:389/??base )
ldap_start_tls: Connect error (-11)
	additional info: TLS error -5961:TCP connection reset by peer
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@rh7-1 ~]# LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -v -Z  -H ldap://wdc.adx.test -D cn=winsync,cn=Users,dc=adx,dc=test -w w1nsynC1 -b cn=Users,dc=adx,dc=test
ldap_initialize( ldap://wdc.adx.test:389/??base )
ldap_start_tls: Connect error (-11)
	additional info: TLS error -5961:TCP connection reset by peer
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@rh7-1 ~]# LDAPTLS_PROTOCOL_MIN=3.1 ldapsearch -v -Z  -H ldap://wdc.adx.test -D cn=winsync,cn=Users,dc=adx,dc=test -w w1nsynC1 -b cn=Users,dc=adx,dc=test
ldap_initialize( ldap://wdc.adx.test:389/??base )
ldap_start_tls: Connect error (-11)
	additional info: TLS error -5961:TCP connection reset by peer
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@rh7-1 ~]# LDAPTLS_PROTOCOL_MIN=3.0 ldapsearch -v -Z  -H ldap://wdc.adx.test -D cn=winsync,cn=Users,dc=adx,dc=test -w w1nsynC1 -b cn=Users,dc=adx,dc=test
ldap_initialize( ldap://wdc.adx.test:389/??base )
ldap_start_tls: Connect error (-11)
	additional info: TLS error -5961:TCP connection reset by peer
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@rh7-1 ~]# LDAPTLS_PROTOCOL_MIN=3.4 ldapsearch -v -Z  -H ldap://wdc.adx.test -D cn=winsync,cn=Users,dc=adx,dc=test -w w1nsynC1 -b cn=Users,dc=adx,dc=test
ldap_initialize( ldap://wdc.adx.test:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=adx,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Users, adx.test
dn: CN=Users,DC=adx,DC=test
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=adx,DC=test
instanceType: 4
whenCreated: 20140930130851.0Z
whenChanged: 20140930130851.0Z
uSNCreated: 5821
uSNChanged: 5821
showInAdvancedViewOnly: FALSE
name: Users
objectGUID:: se/9dpqxKkKfaoQrtU8KBQ==
systemFlags: -1946157056
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=adx,DC=test
isCriticalSystemObject: TRUE
dSCorePropagationData: 20140930130930.0Z
dSCorePropagationData: 16010101000001.0Z
Comment 1 Martin Kosek 2015-04-24 06:20:14 UTC 
This is the related upstream bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1155922
Comment 2 Kai Engert (:kaie) (inactive account) 2015-04-27 16:12:46 UTC 
I expect this to be fixed once we pick up NSS 3.19
Comment 3 Kai Engert (:kaie) (inactive account) 2015-06-12 09:44:33 UTC 
This has been fixed as part of publishing updates to NSS 3.19.1
Note You need to log in before you can comment on or make changes to this bug.