Description of problem: Cannot use SSL3, even after setting TLSProtocolMin to 3.0 and TLSCipherSuite to ALL:COMPLEMENTOFALL. Version-Release number of selected component (if applicable): openldap-2.4.46-1.fc28 Actual results: Connection fails due to unsupported protocol. Expected results: Connection is successfully established over SSL3. Additional info: Given the downstream fix for OpenSSL itself [1], I guess SSL3 is disabled by default by OpenSSL, so the way OpenLDAP chooses enabled protocols based on TLS_PROTOCOL_MIN (i.e. only disabling protocols explicitly, not enabling them) [2] is not sufficient for actually having them enabled. We will probably need to do something like OpenSSL did in [1]. Additionally, we should fix possibly the same issue happening in the future for TLS1.x. [1] https://src.fedoraproject.org/rpms/openssl/c/790567dc649ff1a5627cf9cce3dd78e0f6aa9305 [2] http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_o.c;h=92c708be0e7c41a48727f4e0242cc4c3c803436f;hb=1c9416493bd219b08d839cd9e93fc64daa89b752#l301
https://src.fedoraproject.org/rpms/openldap/c/b52530eb5c6a4400026786a14c03648f1d220daf?branch=f28 https://src.fedoraproject.org/rpms/openldap/c/53b870b7dbc10d0b1955a217be656b221cfa01b5?branch=f29 https://src.fedoraproject.org/rpms/openldap/c/53b870b7dbc10d0b1955a217be656b221cfa01b5?branch=master
openldap-2.4.46-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c9a52df10
I've checked the latest openldap-2.4.46-3.fc28, and it looks like this issue is fixed. When SSL3 is explicitly configured it is supported, but it is not when it is not configured. Is this intentional?
openldap-2.4.46-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c9a52df10
(In reply to Patrik Kis from comment #3) > I've checked the latest openldap-2.4.46-3.fc28, and it looks like this issue > is fixed. When SSL3 is explicitly configured it is supported, but it is not > when it is not configured. Is this intentional? Yes, this comes from the system-wide crypto policy of OpenSSL. The same way this will be broken in the future for other protocols as well, but I'd rather upstream to decide on what will be their approach - I'm about to file an upstream ticket, soon.
The issue seems to be not fixed for i686: openldap-2.4.46-2.fc28.i686 # cat /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database config rootdn cn=Manager,cn=config # password is 'x' rootpw x database bdb suffix dc=my-domain,dc=com rootdn "cn=Manager,dc=my-domain,dc=com" # password is 'x' rootpw {SSHA}tOSmeQCcYIm1S9ujgpg2Km5rpUnR9dRB directory /var/lib/ldap/ TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCACertificateFile /etc/openldap/cacerts/ca.crt TLSVerifyClient allow TLSProtocolMin 3.0 # # # openssl s_client -connect my-domain.com:636 -CAfile /etc/openldap/cacerts/ca.crt -ssl3 3080775424:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1407:SSL alert number 40 CONNECTED(00000003) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 66 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1534768521 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no ---
Ok, take it back, all works, the system was not upgraded when I tested.
openldap-2.4.46-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.