Red Hat Bugzilla – Bug 1309458
Satellite is trying to make and sslv3 connection but the ldap server only supports tls.
Last modified: 2017-04-03 14:56:45 EDT
Description of problem:
Satellite is trying to make and sslv3 connection but the ldap server only supports tls. Is there a way to force the LDAPS connection to use TLS 1.2 instead of SSLv3?
Version-Release number of selected component (if applicable):
Moving 6.2 bugs out to sat-backlog.
I don't think the issue is in ssl attempting to use SSL instead of TLS.
When "simple_tls" ssl configureation is used in ldap-fluff (which is what Forman uses) it relies on default SSLContext of OpenSSL: SSLv23, wide range of ciphers, no peer verification. With such defaults openssl will use tls if the connection peer requests it (unless openssl is ancient and doesn't have support for tls, which I don't think this is the issue here).
The issue is most certainly due to openssl not recognizing peer's CA. I suspect that openssl is either configured with a non-default location (via SSL_CERT_DIR environment variable), /etc/ssl/certs directory is used instead of /etc/pki (see https://bugzilla.redhat.com/show_bug.cgi?id=1053882), or some other issue that prevents OpenSSL from detecting a new CA cert.
Seeing that the customer issue is quite old, and that the fix in a related KB (https://access.redhat.com/solutions/1593413) appears to work for several people, I'd suggest to close this BZ.
I am closing this out per comment 2. If you believe this was incorrect, please feel free to re-open with additional inforamtion.