Bug 1322329 - Secured LDAP with Apache httpd module mod_authnz_ldap conflicts with nss
Summary: Secured LDAP with Apache httpd module mod_authnz_ldap conflicts with nss
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss
Version: 6.7
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-30 10:15 UTC by fgoldefu
Modified: 2016-09-21 12:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-20 14:58:28 UTC
Target Upstream Version:

Attachments (Terms of Use)
Config for apache http. (712 bytes, text/plain)
2016-03-30 10:15 UTC, fgoldefu 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JWS-360 0 Major Closed LDAP authentized connection with mod_authnz_ldap SSL connection not estabilished 2018-07-19 12:42:40 UTC

Description fgoldefu 2016-03-30 10:15:47 UTC 
Created attachment 1141657 [details]
Config for apache http.

Description of problem:
Secured LDAP with apache httpd and apache httpd module mod_authnz_ldap conflicts with nss since version 3.19.1-3.el6_6.

Version-Release number of selected component (if applicable):
nss*3.19.1-3.el6_6 and newer

How reproducible:
Configure apache httpd secured LDAP. Config file is attached.

Steps to Reproduce:
1. Configure httpd secured LDAP
2. Start httpd
3. Add user and try to authenticate.

Actual results:

TLS: certificate [CN=dhcp-4-207.brq.redhat.com,OU=Directory,O=ASF,C=US] is not valid - error -8181:Peer's Certificate has expired..
TLS: certificate [CN=dhcp-4-207.brq.redhat.com,OU=Directory,O=ASF,C=US] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 115 - moznss error -12156
TLS: can't connect: TLS error -12156:The server certificate included a public key that was too weak..

User is not authorized.

Expected results:

User is authorized.

Additional info:
Same problem is on RHEL6.7, RHEL6.8 and RHEL7. Problem occurs with BaseOS httpd and JWS.
Comment 2 Jakub Hrozek 2016-03-30 10:38:08 UTC 
1. Why is anyone still using nss-pam-ldapd and not sssd?
2. This doesn't look like a bug at all, but a weak crypto was used. The error message tells you what's wrong:
TLS: can't connect: TLS error -12156:The server certificate included a public key that was too weak..

Can I close this as NOTABUG?
Comment 20 JBoss JIRA Server 2016-09-21 12:40:58 UTC 
Jean-Frederic Clere <jfclere> updated the status of jira JWS-360 to Closed
Note You need to log in before you can comment on or make changes to this bug.