Bug 1309458 - Satellite is trying to make and sslv3 connection but the ldap server only supports tls.
Satellite is trying to make and sslv3 connection but the ldap server only sup...
Status: CLOSED WONTFIX
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Other (Show other bugs)
6.1.6
All Linux
unspecified Severity urgent (vote)
: Unspecified
: --
Assigned To: satellite6-bugs
Katello QA List
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-17 16:30 EST by Fotios Tsiadimos
Modified: 2017-04-03 14:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-03 14:56:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Fotios Tsiadimos 2016-02-17 16:30:18 EST
Description of problem:

Satellite is trying to make and sslv3 connection but the ldap server only supports tls.  Is there a way to force the LDAPS connection to use TLS 1.2 instead of SSLv3?


Version-Release number of selected component (if applicable):
Satellite 6.1.6
Comment 1 Bryan Kearney 2016-07-26 15:04:38 EDT
Moving 6.2 bugs out to sat-backlog.
Comment 2 Dmitri Dolguikh 2017-03-30 09:19:38 EDT
I don't think the issue is in ssl attempting to use SSL instead of TLS.

When "simple_tls" ssl configureation is used in ldap-fluff (which is what Forman uses) it relies on default SSLContext of OpenSSL: SSLv23, wide range of ciphers, no peer verification. With such defaults openssl will use tls if the connection peer requests it (unless openssl is ancient and doesn't have support for tls, which I don't think this is the issue here).

The issue is most certainly due to openssl not recognizing peer's CA. I suspect that openssl is either configured with a non-default location (via SSL_CERT_DIR environment variable), /etc/ssl/certs directory is used instead of /etc/pki (see https://bugzilla.redhat.com/show_bug.cgi?id=1053882), or some other issue that prevents OpenSSL from detecting a new CA cert.

Seeing that the customer issue is quite old, and that the fix in a related KB (https://access.redhat.com/solutions/1593413) appears to work for several people, I'd suggest to close this BZ.
Comment 3 Bryan Kearney 2017-04-03 14:56:45 EDT
I am closing this out per comment 2. If you believe this was incorrect, please feel free to re-open with additional inforamtion.

Note You need to log in before you can comment on or make changes to this bug.