Bug 1387868 - openldap server doesn't support any strong cipher suites
Summary: openldap server doesn't support any strong cipher suites
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 25
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Matus Honek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-22 20:02 UTC by Hristo Venev
Modified: 2017-02-02 20:22 UTC (History)
2 users (show)

Fixed In Version: openldap-2.4.44-7.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-02 20:22:22 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Hristo Venev 2016-10-22 20:02:54 UTC
Because of http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=592250ebfbcc7aa47f22bf1f8613fe20f33fd39a slapd will always disable all ciphers except some SHA1 and MD5 ones. All SHA1 and MD5 ciphers are disabled for some clients (ldapsearch for example) so using openldap is impossible.

Idea: Revert to openssl, as openssl supports setting a list of cipher suites, which is important for servers.

Comment 1 Matus Honek 2017-02-01 14:28:36 UTC
Efforts towards OpenSSL are currently in progress, see bug 1400570 for more info.

I'm fixing the issue in NSS implementation by issuing following commits:
http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=22dbdbf78a40c4f6b65eb6aed0f35ff10032fd7a
http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=0cc5bf72542ebb0e26227e09fc1950dabda739bf

Comment 2 Fedora Update System 2017-02-01 14:52:01 UTC
openldap-2.4.44-7.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e

Comment 3 Fedora Update System 2017-02-01 23:52:10 UTC
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e

Comment 4 Fedora Update System 2017-02-02 20:22:22 UTC
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.