1582747 – DS only accepts RSA and Fortezza cipher families

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1582747 - DS only accepts RSA and Fortezza cipher families

Summary: DS only accepts RSA and Fortezza cipher families

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	mreynolds
QA Contact:	RHDS QE
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:	1584066
TreeView+	depends on / blocked

Reported:	2018-05-26 17:39 UTC by mreynolds
Modified:	2020-09-13 22:10 UTC (History)
CC List:	6 users (show)
Fixed In Version:	389-ds-base-1.3.8.4-1.el7
Doc Type:	Bug Fix
Doc Text:	Directory Server now supports certificates with all ciphers supported by NSS Due to a restriction in Directory Server, administrators could only use RSA and Fortezza ciphers. As a consequence, certificates created with a different cipher, such as ECC certificates, were not supported. This update removes this restriction. As a result, administrators can now use certificates with all ciphers supported by the underlying Network Security Services (NSS) database when configuring TLS in Directory Server.
Clone Of:
Clones:	1584066 (view as bug list)
Environment:
Last Closed:	2018-10-30 10:13:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 2785	0	None	None	None	2020-09-13 22:10:35 UTC
Red Hat Product Errata	RHSA-2018:3127	0	None	None	None	2018-10-30 10:14:32 UTC

Description mreynolds 2018-05-26 17:39:45 UTC

Description of problem:


Currently DS only accepts fortezza and RSA cipher families. This prevents things like ECC certificates from being used.

@rcritten found the issue in ldap/servers/slapd/ssl.c, and pointed out that nunc-stans tls code was already doing the right thing, but not the core server code.

Upstream ticket:

https://pagure.io/389-ds-base/issue/49726

Comment 2 mreynolds 2018-05-28 16:07:52 UTC

Fixed upstream

Comment 5 mreynolds 2018-05-31 16:11:19 UTC

Asha,

QE is asking for a basic reproducer on this.  Can you provide the steps needed to generate ECC certificates?



From the DS side the SSL initialization failed, and the server would not listen on the secure port.

[25/May/2018:16:26:17.052973659 -0400] - WARN - Security Initialization - SSL alert: ConfigSecureServer: Server key/certificate is bad for cert DS Certificate of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8187 - security library: invalid arguments.)
[25/May/2018:16:26:17.074510928 -0400] - ERR - Security Initialization - SSL failure: None of the cipher are valid

With the current fix it just works.  There is no special configuration needed on the DS side to use ECC certificates.

Comment 6 Asha Akkiangady 2018-05-31 22:20:54 UTC

The certutil command has options to create ECC certificates. To generate a ECC key/certificate use the options  "-k ec -q <curve-name>". <curve-name> is the elliptic curve name that you are testing. "certutil -G --help" shows all the available curves.

Here is an example for cert creation using curve nistp256:

The file /etc/dirsrv/slapd-<DS-INSTANCE-NAME>/password.txt is owned by directory server user (example: dirsrv) and it has nss database password.

# cd /etc/dirsrv/slapd-<DS-INSTANCE-NAME>/
# openssl rand -out noise.bin 2048
# echo -e "0\n1\n2\n3\n9\ny\n" | \
certutil -S -x \
-d /etc/dirsrv/slapd-<DS-INSTANCE-NAME> \
-f /etc/dirsrv/slapd-<DS-INSTANCE-NAME>/password.txt  \
-z noise.bin \
-n "DS Certificate" \
-s "CN=$HOSTNAME" \
-k ec \
-q nistp256 \
-Z SHA256 \
-t "CT,C,C" \
-m $RANDOM\
-1

# certutil -L -d /etc/dirsrv/slapd-<DS-INSTANCE-NAME>/

Certificate Nickname                                     	Trust Attributes
                                                        	SSL,S/MIME,JAR/XPI

DS Certificate                                           	CTu,Cu,Cu

Comment 8 Akshay Adhikari 2018-07-11 13:38:44 UTC

Build tested: 389-ds-base-1.3.8.4-3.el7.x86_64

TLS is initialized:

[11/Jul/2018:08:22:08.157828878 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2

List of certificate in the DB:

[root@qeos-54 slapd-DS]# certutil -K -d /etc/dirsrv/slapd-DS/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> ec       4ad944d1958e6625a7d82df4db5eaa50700876e0   NSS Certificate DB:Server-Cert
< 1> ec       76af609b3ec710364b2ae50d8183ad5bb126256a   NSS Certificate DB:CA certificate

[root@qeos-54 slapd-DS]# ss -ntpl | grep ns-slapd
LISTEN     0      128         :::636                     :::*                   users:(("ns-slapd",pid=30535,fd=8))
LISTEN     0      128         :::389                     :::*                   users:(("ns-slapd",pid=30535,fd=7))

The server is running, also able to bind on the LDAPS port.

Comment 10 errata-xmlrpc 2018-10-30 10:13:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3127

Note You need to log in before you can comment on or make changes to this bug.