Bug 1300701 - OpenLDAP doesn't use sane (or default) cipher order
Summary: OpenLDAP doesn't use sane (or default) cipher order
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: alpha
: ---
Assignee: Matus Honek
QA Contact: Patrik Kis
Marc Muehlfeld
Depends On: 1245279
TreeView+ depends on / blocked
Reported: 2016-01-21 13:47 UTC by Hubert Kario
Modified: 2016-05-11 00:59 UTC (History)
13 users (show)

Fixed In Version: openldap-2.4.40-11.el6
Doc Type: Release Note
Doc Text:
OpenLDAP now supports TLSv1.2 The TLS layer of OpenLDAP has been enhanced to support the cipher string value `TLSv1.2` along with new ciphers from the TLSv1.2 suite. Additionally, the new cipher strings `AESGCM`, `SHA256`, and `SHA384` have been added. With this update, the cipher string `DEFAULT` selects a subset of the Network Security Services (NSS) defaults in order to be up to date with current security development. Note that the cipher string `DEFAULT` currently excludes `AESGCM` ciphers, in order not to break the Security Strength Factor (SSF) functionality.
Clone Of: 1245279
Last Closed: 2016-05-11 00:59:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0943 normal SHIPPED_LIVE openldap bug fix update 2016-05-10 22:55:28 UTC

Description Hubert Kario 2016-01-21 13:47:17 UTC
+++ This bug was initially created as a clone of Bug #1245279 +++

Description of problem:
LDAP clients (like ldapsearch) enable insecure ciphers as well as don't enable the most secure ones.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. tcpdump -i lo -U -w capture.pcap -s 0 port 22
2. ldapsearch -ZZ -H ldaps://localhost:22
3. open capture.pcap with wireshark, set the protocol type to SSL

Actual results:
Client Hello that advertises support for 42 ciphersuites, among them are export grade ciphers but no AES-GCM or SHA256 HMAC ciphers.

Expected results:
Client Hello that uses NSS default ciphers - no export grade, no single DES, but with AES-GCM and with SHA256 ciphers

Additional info:

--- Additional comment from Matus Honek on 2015-09-23 11:31:12 EDT ---

Commit adding new cipher suites to play along NSS default ciphers:

Commit adding checking for eNULL in DEFAULT handling:

Comment 19 errata-xmlrpc 2016-05-11 00:59:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.