Bug 1327065 - After updating server, component nss-3.21.0-0.3.el6_7.x86_64, some client applications cannot connect to server.
Summary: After updating server, component nss-3.21.0-0.3.el6_7.x86_64, some client app...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1269194 1365846
TreeView+ depends on / blocked
 
Reported: 2016-04-14 08:23 UTC by German Parente
Modified: 2017-03-21 10:20 UTC (History)
12 users (show)

Fixed In Version: 389-ds-base-1.2.11.15-83.el6
Doc Type: Bug Fix
Doc Text:
Directory Server now supports configuring weak DH parameters The network security services (NSS) libraries, linked with the Red Hat Directory Server, require a minimum of 2048-bit Diffie-Hellman (DH) parameters. However, Java 1.6 and 1.7 supports only 1024-bit DH parameters. As a consequence, clients using these Java versions were unable to connect to Directory Server using encrypted connections. This update adds the "allowWeakDHParam" parameter to the "cn=encryption,cn=config" entry. As a result, if this parameter is enabled, affected clients can now connect using weak DH parameters.
Clone Of:
Environment:
Last Closed: 2017-03-21 10:20:59 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0667 normal SHIPPED_LIVE 389-ds-base bug fix update 2017-03-21 12:35:05 UTC

Description German Parente 2016-04-14 08:23:53 UTC
Description of problem:

sorry for the lack of investigation here. We have seen at least three customers that, after updating the nss component, have client applications failing to connect to server.

Most of them are using java applications with java7.

And in some cases the ciphers Diffie–Hellman key exchange (D–H) seems to be the root cause.

In some cases, this has been solved by disabling the former alg. from client application. 

In case of Apache Directory Studio, java8 solved the issue.

I am logging this bug for tracking purposes. Feel free to close it if it's not considered a bug but a tuning issue + documentation to send to customer about changes in the ciphers.

Version-Release number of selected component (if applicable):

nss-util-3.21.0-0.3.el6_7.x86_64
nss-3.21.0-0.3.el6_7.x86_64
389-ds-base-libs-1.2.11.15-72.el6_7.x86_64
389-ds-base-1.2.11.15-72.el6_7.x86_64

Comment 17 Gerald Prock 2016-04-20 18:03:00 UTC
We have the same problem with the IBM webapplication server (WebSphere).
There the Java 1.6 can not connect after the update.

It also seams, that the priority of the cipher has changed.

With the old nss (3.19.1-8.el6_7.x86_64) the connection is "AES128-GCM-SHA256" and after the update (3.21.0-0.3.el6_7.x86_64) it is changed to "DHE-RSA-AES128-GCM-SHA256". The new cipher need a diffie hellman parameter and this is 2048. The old java can only use 1024 and the connection fails.

Is there any way to change the order of the cipher back to the older behavior?

Comment 18 German Parente 2016-04-20 18:29:05 UTC
Hi Gerald,

a workaround has been given privately in this bug report.

Either you change ciphers in RHDS disabling dhe ones:

under dn: cn=encryption,cn=config

append to the attribute called nsSSL3Ciphers the following spec:

,-tls_dhe_rsa_aes_128_sha,-tls_dhe_rsa_aes_256_sha

or you could run java using:

-Djdk.tls.ephemeralDHKeySize=2048

but this has been tested in java 7 only.

thanks and regards,

German.

Comment 19 Noriko Hosoi 2016-04-20 20:34:28 UTC
(In reply to German Parente from comment #18)
> 
> or you could run java using:
> 
> -Djdk.tls.ephemeralDHKeySize=2048
> 
> but this has been tested in java 7 only.

That'd be the perfect workaround although it seems it was introduced in Java 7.

7u85 Update Release Notes
http://www.oracle.com/technetwork/java/javase/7u85-relnotes-2587591.html

Support stronger strength ephemeral DH keys in the SunJSSE provider

The ephemeral DH key size now defaults to 1024 bits during SSL/TLS handshaking in the SunJSSE provider. A new system property, "jdk.tls.ephemeralDHKeySize", is defined to customize the ephemeral DH key sizes. This can be set to "legacy" if the older JDK behavior (DH keysize of 768 bits) is desired. The DH key size for exportable ciphersuites remains at 512 bits.

Comment 21 Marc Sauton 2016-04-20 21:49:03 UTC
in reply to the comment
https://bugzilla.redhat.com/show_bug.cgi?id=1327065#c17

if the requirement is to keep weaker ciphers, about the RHDS workaround, you may also need to disable
tls_dhe_rsa_with_aes_128_gcm_sha256

Comment 24 Gerald Prock 2016-04-21 08:52:29 UTC
Thx to all for the workaround. I disabled the 3 named ciphers but the connection was still "DHE-RSA-AES128-GCM-SHA256" with dh 2048.

So i removed one cipher after another to get the old Java 1.6 back to work.
The impact to the security was to much, so i reverted back to the nss downgrade for the moment.

There is also a ticket on the 389-ds list:
https://fedorahosted.org/389/ticket/48798

According to our tests the parameter "-Djdk.tls.ephemeralDHKeySize=2048" didn't work with the old Java 1.6 clients.

Comment 25 Gerald Prock 2016-04-21 08:53:07 UTC
Thx to all for the workaround. I disabled the 3 named ciphers but the connection was still "DHE-RSA-AES128-GCM-SHA256" with dh 2048.

So i removed one cipher after another to get the old Java 1.6 back to work.
The impact to the security was to much, so i reverted back to the nss downgrade for the moment.

There is also a ticket on the 389-ds list:
https://fedorahosted.org/389/ticket/48798

According to our tests the parameter "-Djdk.tls.ephemeralDHKeySize=2048" didn't work with the old Java 1.6 clients.

Comment 26 German Parente 2016-04-21 09:06:07 UTC
Hi Gerald,

thanks for your feedback.

The list of all ciphers in nss component can be found here:

http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html

So, if we want to disable all DH ciphers, the list should be:

-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, -TLS_DHE_DSS_WITH_AES_128_CBC_SHA, -TLS_DHE_DSS_WITH_AES_256_CBC_SHA, -TLS_DHE_DSS_WITH_DES_CBC_SHA, -TLS_DHE_DSS_WITH_RC4_128_SHA, -TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_DHE_RSA_WITH_AES_128_CBC_SHA, -TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, -TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -TLS_DHE_RSA_WITH_DES_CBC_SHA, -TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, -TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, -TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, -TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, -TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, -TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, -TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, -TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, -TLS_ECDH_ECDSA_WITH_NULL_SHA, -TLS_ECDH_ECDSA_WITH_RC4_128_SHA, -TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, -TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -TLS_ECDHE_ECDSA_WITH_NULL_SHA, -TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, -TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -TLS_ECDHE_RSA_WITH_NULL_SHA, -TLS_ECDHE_RSA_WITH_RC4_128_SHA, -TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, -TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, -TLS_ECDH_RSA_WITH_NULL_SHA, -TLS_ECDH_RSA_WITH_RC4_128_SHA, -TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, -TLS_DHE_DSS_WITH_DES_CBC_SHA, -TLS_DHE_DSS_WITH_RC4_128_SHA, -TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_DHE_RSA_WITH_DES_CBC_SHA, -TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDH_ECDSA_WITH_RC4_128_SHA, -TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, -TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDHE_RSA_WITH_RC4_128_SHA, -TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDH_RSA_WITH_RC4_128_SHA, -TLS_DH_DSS_WITH_AES_128_CBC_SHA, -TLS_DH_RSA_WITH_AES_128_CBC_SHA, -TLS_DH_DSS_WITH_AES_256_CBC_SHA, -TLS_DH_RSA_WITH_AES_256_CBC_SHA, -TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, -TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, -TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, -TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, -TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, -TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, -TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, -TLS_ECDHE_ECDSA_WITH_NULL_SHA, -TLS_ECDHE_RSA_WITH_NULL_SHA, -TLS_ECDH_RSA_WITH_NULL_SHA, -TLS_ECDH_ECDSA_WITH_NULL_SHA

Comment 27 Gerald Prock 2016-04-21 10:32:26 UTC
Hi German,

thx for the information. Disabling all the DH cipher works for the old Java 1.6 clients. But it is really a big impact to the security on the server :)

At the moment we try to solve the problem on the client side. It seams that there is a backport of the "ephemeralDHKeySize" function for the Oracle, the IBM and the OpenJDK Java 6.

Oracle Java "6u101 b14":
http://www.oracle.com/technetwork/java/javase/overview-156328.html#6u101-b14

IBM Java "6 R1 SR8 FP15":
http://www-01.ibm.com/support/docview.wss?uid=swg1IV78754

OpenJDK 6 (b36):
http://mail.openjdk.java.net/pipermail/jdk6-dev/2015-July/003528.html

Our first test with Java6 was with the IBM Java 6 SR7 and that coun't work.

At the moment we are upgrading the test server for the next try.
I will inform you about the result as soon as possible.

Comment 28 Gerald Prock 2016-04-21 14:16:02 UTC
Our tests are done. With the versions described above the option "ephemeralDHKeySize" works also with Java 6 and the client can connect.

We have now three ways to fix the problem:
1) Update Java :D
2) Disable the dh cipher (complete list ...)
3) Add a 1024 bit dh parameter to the server certificate

We will use the first way to also improve the security.

Thanks to all for the help.

Comment 29 wibrown@redhat.com 2016-04-21 21:53:23 UTC
> According to our tests the parameter "-Djdk.tls.ephemeralDHKeySize=2048"
> didn't work with the old Java 1.6 clients.

Only works with Java 1.7.0-85 and above I think.

Comment 31 Marc Sauton 2016-05-20 00:50:52 UTC
added this article:
https://access.redhat.com/solutions/2332231
Red Hat Directory Server and Java and C/C++ client applications TLS connections failed after RHEL 6.7 update with nss-3.21.0-0.3.el6_7.x86_64, DHE cipher params updates

Comment 43 Gaurav Swami 2016-11-14 15:53:23 UTC
Do we have Test packages for this Bugzilla?. If yes my customer would like to test this packages.

Comment 51 errata-xmlrpc 2017-03-21 10:20:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0667.html


Note You need to log in before you can comment on or make changes to this bug.