Description of problem: OpenLDAP doesn't support SHA2 algorithms Version-Release number of selected component (if applicable): openldap-2.3.43-12.el5_5.2 How reproducible: ldapsearch -d3 -v -x -H ldaps://some-server-with-a-sha2-cert/ -b $base '(uid=foo)' Actual results: TLS certificate verification: Error, certificate signature failure [...] additional info: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm Expected results: successful connection Additional info: Please backport https://github.com/openldap/openldap/commit/b6ae077e1f1b660a4acbcff14c752ffc4ac265e6 Upstream bug: http://www.openldap.org/lists/openldap-bugs/200907/msg00011.html Thanks.
Created attachment 461645 [details] backport Here's the backport. Build tested only. Unfortunately I can't test this very easily right now- our testing environment has gone down...
Installing the openldap packages I built causes ldapsearch to work... but nss_ldap still fails with the same error. New steps to reproduce (switching from a working, non-ssl/tls setup to a broken setup): In /etc/ldap.conf, - change "uri ldap://ldap/" to "uri ldaps://ldap/" - add a line "debug 1023" Ensure "ldap" is on the appropriate lines in /etc/nsswitch.conf (passwd, shadow, group, ...). Run `getent passwd` CTRL-C Annoyingly, without the "debug" line, nss_ldap claims to be unable to contact the ldap server. I'm going to try rebuilding the nss_ldap package tomorrow.
Rebuilding the nss_ldap package against my openldap packages gets LDAP auth over SSL/TLS to work (when the CA/server cert has a SHA2 signature). Tested successfully on four machines.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release.
Looks to me like the proposed patch has significant potential implications, notably by exposing new ciphers (not verified). I could easily imagine performance regressions. IMHO, such a change would deserve a release note during a minor release. It would need to be tested, but I'd be reassured by some simpler change like: + EVP_add_digest(EVP_sha256()); WIth best regards, -- Pierre Carrier, Technical Support Engineer Production Support, EMEA office Global Support Services Red Hat, Inc.
The proposed patch will not add any new ciphersuites to the SSL library - they have to be explicitly added to the SSL library ciphersuite list. It will just allow these hashes in the certificates which cannot result in performance regressions.
Note that this problem is solved already by the openssl update in RHEL 5.7.
Tomas, Do you mean openssl-0.9.8e-12.el5_5.7 ? I still see the same issue with this update. # grep -i reqcert /etc/openldap/ldap.conf TLS_REQCERT always # rpm -q openssl openssl-0.9.8e-12.el5_5.7 # ldapsearch -v -x -H ldaps://$HOST/ -b dc=ctisl,dc=gtri,dc=org '(uid=foo)' ldap_initialize( ldaps://$HOST/ ) ldap_bind: Can't contact LDAP server (-1) additional info: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
No, the update was not yet released publicly. It will be in the openssl-0.9.8e-18.el5 package. I apologize for the confusion.
(In reply to comment #13) > Note that this problem is solved already by the openssl update in RHEL 5.7. Tomas, if I've understood you correctly, the OpenSSL change for bug #676384 is in itself sufficient to address this issue, and no change to the OpenLDAP packages is required to support SHA2 algorithms. If that's indeed the case, can you please mark this entry as CLOSED DUPLICATE of 676384?
Yes. *** This bug has been marked as a duplicate of bug 676384 ***