Hide Forgot
Description of problem: When trying to use sssd-ldap against a CentOS 7.2 openldap server, all TLS connections fail. This seems to be a problem with cipher selection and what is available to the client. Version-Release number of selected component (if applicable): sssd.x86_64 1.13.4-4.fc24 sssd-ldap.x86_64 1.13.4-4.fc24 The Server offers the following: Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) --------------------------------------------------------------------------------------------------------------------------- xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 384 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 384 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 This breaks when trying to connect using STARTTLS on port 389, or port 636. The OpenLDAP server shows the following debug: STARTTLS: [sssd[be[default]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [TLS error -12286:Cannot communicate securely with peer: no common encryption algorithm(s).] LDAPS: [sssd[be[default]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. The LDAP server is configured with: olcTLSCipherSuite: HIGH:MEDIUM:!SSLv2:!SSLv3 I believe however this may be incorrect - as I would expect TLSv1, TLSv1.1 etc to be available - but it isn't. That being said, I would still expect the Fedora 24 client to be able to connect to openldap using one of the ciphers passed above over TLSv1.2
I actually managed to fix this by noticing I had the olcTLSCipherSuite wrong for the RHEL version of OpenLDAP. As its linked to moznss, just about all the documentation you come across searching online is incorrect. Yay. Finally, I came up with this LDIF that seems to correct the TLS issues: dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/cacert.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/server.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/server.key - replace: olcTLSCipherSuite olcTLSCipherSuite: HIGH - replace: olcTLSProtocolMin olcTLSProtocolMin: 3.1