Bug 1300701 - OpenLDAP doesn't use sane (or default) cipher order
OpenLDAP doesn't use sane (or default) cipher order
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap (Show other bugs)
6.7
Unspecified Unspecified
medium Severity high
: alpha
: ---
Assigned To: Matus Honek
Patrik Kis
Marc Muehlfeld
:
Depends On: 1245279
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-21 08:47 EST by Hubert Kario
Modified: 2016-05-10 20:59 EDT (History)
13 users (show)

See Also:
Fixed In Version: openldap-2.4.40-11.el6
Doc Type: Release Note
Doc Text:
OpenLDAP now supports TLSv1.2 The TLS layer of OpenLDAP has been enhanced to support the cipher string value `TLSv1.2` along with new ciphers from the TLSv1.2 suite. Additionally, the new cipher strings `AESGCM`, `SHA256`, and `SHA384` have been added. With this update, the cipher string `DEFAULT` selects a subset of the Network Security Services (NSS) defaults in order to be up to date with current security development. Note that the cipher string `DEFAULT` currently excludes `AESGCM` ciphers, in order not to break the Security Strength Factor (SSF) functionality.
Story Points: ---
Clone Of: 1245279
Environment:
Last Closed: 2016-05-10 20:59:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hubert Kario 2016-01-21 08:47:17 EST
+++ This bug was initially created as a clone of Bug #1245279 +++

Description of problem:
LDAP clients (like ldapsearch) enable insecure ciphers as well as don't enable the most secure ones.

Version-Release number of selected component (if applicable):
openldap-2.4.40-8.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. tcpdump -i lo -U -w capture.pcap -s 0 port 22
2. ldapsearch -ZZ -H ldaps://localhost:22
3. open capture.pcap with wireshark, set the protocol type to SSL

Actual results:
Client Hello that advertises support for 42 ciphersuites, among them are export grade ciphers but no AES-GCM or SHA256 HMAC ciphers.

Expected results:
Client Hello that uses NSS default ciphers - no export grade, no single DES, but with AES-GCM and with SHA256 ciphers

Additional info:

--- Additional comment from Matus Honek on 2015-09-23 11:31:12 EDT ---

Commit adding new cipher suites to play along NSS default ciphers:
http://pkgs.devel.redhat.com/cgit/rpms/openldap/commit/?h=rhel-7.2&id=7359eb3d9356ca0c6aba14713814669d29270221

Commit adding checking for eNULL in DEFAULT handling:
http://pkgs.devel.redhat.com/cgit/rpms/openldap/commit/?h=rhel-7.2&id=57535c444bf7bef7574ef1614f14884d62520332
Comment 19 errata-xmlrpc 2016-05-10 20:59:51 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0943.html

Note You need to log in before you can comment on or make changes to this bug.