1822087 – Disabling TLSv1.3 via TLS_CIPHER_SUITE doesn't have effect

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1822087 - Disabling TLSv1.3 via TLS_CIPHER_SUITE doesn't have effect

Summary: Disabling TLSv1.3 via TLS_CIPHER_SUITE doesn't have effect

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	openldap
Sub Component:
Version:	8.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Matthew Harmsen
QA Contact:	RHDS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-08 08:32 UTC by Sami Silén
Modified:	2021-10-08 07:27 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-08 07:27:11 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sami Silén 2020-04-08 08:32:18 UTC

New RedHat 8.1 I cannot connect directory server on RedHat 7 with ldapsearch or sssd. On 389ds we have only TLSv1.2 available with couple of AES ciphers.

It looks like that TLS_CIPHER_SUITE on /etc/openldap/ldap.conf doesnt have any effect on TLSv1.3 protocol. On my tests, it looks like ldap clients always tries to access server with TLSv1.3 and because it's not available connection breaks.

ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

When I test my cipher list, I havent been able to disable TLSv1.3
# openssl ciphers -v  'AES256-SHA256:+TLSv1.2:-TLSv1.3:-TLSv1.1:-TLSv1:-SSLv3'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256

With curl I am able to establish connection
# curl -v ldaps://>ldapserver> --tls-max 1.2
* TCP_NODELAY set
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-SHA

Using: 
openldap-clients-2.4.46-11.el8_1.x86_64
curl-7.61.1-11.el8.x86_64

Comment 1 Matus Honek 2020-04-08 10:19:38 UTC

Hi Sami,

OpenLDAP does not seem to be properly configurable for TLSv1.3 currently (although it works just ok with it with OpenSSL-default ciphers pre-set). OpenSSL, which OpenLDAP uses, has new options for TLSv1.3 that need to be implemented in OpenLDAP first (ciphersuites are set differently, see the `man ciphers`).

In your case, you did not mention explicitly if it is so, you should make sure the server has TLSv1.3 disabled by setting the `sslVersionMax: TLS1.2`. Then, it should be impossible to negotiate TLSv1.3 even though the client supports it. Please, let me know if this helped.

Also, please note, as it is also mentioned in the `man ciphers`, that:
1. There is no TLSv1.3 keyword for OpenSSL ciphers.
2. Setting any of the TLSv* or SSL* keywords for the ciphers does not disable the protocol itself.

Hope this helps,
Matus

Comment 2 Sami Silén 2020-04-08 13:17:19 UTC

Thanks Matus,

Situation is so that I have 389ds (Directory server) acting as a LDAP server. It's running on a top of RedHat7 and there shouldn't be any configuration (nor support) for TLSv1.3 at all. 
I was hoping that there would be some sslversionmax in ldap.conf which would be used by ldap clients. But after reading your mail, I have started to wonder actions of our ldap server.

No when you mentioned that impossilibity. I didn't event think about the server side because I have made scans, it only shows that It can negotiate TLSv1.2. Because it's also oldish, I didn't even think that it could be the problem with TLSv1.3 case. But now this makes me wonder why it then tries to establish TLSv1.3 link? It sure has sslversionmax attribute which I think makes the trick. I have to give it a try.

Thanks Matus!

Comment 3 Matus Honek 2020-04-08 13:37:09 UTC

The support very much depends on the crypto library and in case of NSS (which is used in 389ds) it actually does "since Firefox (tm)" which needs it; but in general security tends to be more up-to-date since... well, security is important. I know there were some issues some months ago where 389ds would pick up TLSv1.3 although it shouldn't but that should be fixed now, just make sure you are on the latest, it was fixed somewhere after 389-ds-base-1.3.10. But explicit override (as discussed) should work anyway.

Comment 4 Sami Silén 2020-04-09 03:14:43 UTC

I should be on latest.

* openssl-1.0.2k-19.el7.x86_64
* 389-ds-base-1.3.10.1-5.el7.x86_64

Our 389ds had sslversionmax set to 1.3, which was weird. I don't think it would have been set originally, maybe some update had updated that when support arrived. But now everything works with 1.2, that's not a fix thou if it should work with 1.3 also.

// Sami

Comment 7 Aki Ketolainen 2021-02-16 11:11:01 UTC

I'm seeing this same error for sssd when trying to add a new CentOS 8.3 container to and existing CentOS 7 environment with 389-ds as the directory server.

(2021-02-16 10:49:45): [be[LDAP]] [sdap_connect_done] (0x0080): START TLS result: Success(0), Start TLS request accepted.Server willing to negotiate SSL.
(2021-02-16 10:49:45): [be[LDAP]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure]

Also getting it for ldapsearch running on CentOS 8.3:

env LDAPTLS_CACERT=/etc/openldap/certs/cert.pem ldapsearch -ZZ -H ldap://389-ds-1:389/ -D uid=aki,ou=people,dc=environment,dc=company,dc=com -W -b ou=people,dc=environment,dc=company,dc=com uid=aki

ldap_start_tls: Connect error (-11)
        additional info: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

I was able to switch to nss-pam-ldapd and nscd instead of sssd with the following config in /etc/nslcd.conf:

uid nslcd
gid ldap
uri ldap://389-ds-1/
uri ldap://389-ds-2/
ldap_version 3
base dc=environment,dc=company,dc=com
binddn uid=dirquery,ou=People,dc=environment,dc=company,dc=com
bindpw password
scope sub
base   group  ou=Groups,dc=environment,dc=company,dc=com
base   passwd ou=People,dc=environment,dc=company,dc=com
base   shadow ou=People,dc=environment,dc=company,dc=com
tls_cacertfile /etc/openldap/certs/cert.pem
tls_ciphers HIGH:+TLSv1.2:-TLSv1.3

If I add that last config entry to sssd.conf as

ldap_tls_cipher_suite = HIGH:+TLSv1.2:-TLSv1.3

the problem doesn't get resolved.

Comment 8 Aki Ketolainen 2021-02-16 16:51:36 UTC

Sorry, I read the thread without noticing that setting "sslVersionMax: TLS1.2" would fix it. It worked with 389-ds for me too.

Comment 10 RHEL Program Management 2021-10-08 07:27:11 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.