RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 669845 - Default encryption strength dropped in switch to using NSS
Summary: Default encryption strength dropped in switch to using NSS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Jan Vcelak
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On: 669446
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-15 00:20 UTC by Rich Megginson
Modified: 2013-03-04 01:28 UTC (History)
7 users (show)

Fixed In Version: openldap-2.4.23-7.el6
Doc Type: Bug Fix
Doc Text:
- Connecting to OpenLDAP server. - After switching from OpenSSL to Mozilla NSS, client provides only a limited subset of cipher suites (the best with medium grade). From this reason encryption strength has dropped. - More ciphers with better grade were added into default cipher suite list. - OpenLDAP client now provides better cipher suites for stronger encryption support.
Clone Of: 669446
Environment:
Last Closed: 2011-05-19 13:59:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0673 0 normal SHIPPED_LIVE openldap bug fix and enhancement update 2011-05-18 18:10:44 UTC

Description Rich Megginson 2011-01-15 00:20:21 UTC
+++ This bug was initially created as a clone of Bug #669446 +++

Description of problem:

Switching to using NSS for TLS/SSL has changed the default, priority-sorted, list-of-cipher-suites-supported transmitted by clients.  The new list is

00 00 04 - SSL3_CK_RSA_RC4_128_MD5
00 fe ff - -- not sure what this is --
00 00 0a - SSL3_CK_RSA_DES_192_CBC3_SHA
00 fe fe - -- not sure what this is --
00 00 09 - SSL3_CK_RSA_DES_64_CBC_SHA
00 00 64 - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA  --
00 00 62 - TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA --
00 00 03 - SSL3_CK_RSA_RC4_40_MD5
00 00 06 - SSL3_CK_RSA_RC2_40_MD5
00 00 ff - SSL3_CK_SCSV

The strongest and most preferred cipher suite on this list RC4/MD5.  It is at best a medium grade suite.  Compare this to the old OpenSSL list

00 00 39 - TLS1_CK_DHE_RSA_WITH_AES_256_SHA
00 00 38 - TLS1_CK_DHE_DSS_WITH_AES_256_SHA
00 00 35 - TLS1_CK_RSA_WITH_AES_256_SHA
00 00 88 - TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
00 00 87 - TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
00 00 84 - TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA
00 00 16 - SSL3_CK_EDH_RSA_DES_192_CBC3_SHA
00 00 13 - SSL3_CK_EDH_DSS_DES_192_CBC3_SHA
00 00 0a - SSL3_CK_RSA_DES_192_CBC3_SHA
07 00 c0 - SSL2_CK_DES_192_EDE3_CBC_WITH_MD5
00 00 33 - TLS1_CK_DHE_RSA_WITH_AES_128_SHA
00 00 32 - TLS1_CK_DHE_DSS_WITH_AES_128_SHA
00 00 2f - TLS1_CK_RSA_WITH_AES_128_SHA
00 00 9a - TLS1_CK_DHE_RSA_WITH_SEED_SHA
00 00 99 - TLS1_CK_DHE_DSS_WITH_SEED_SHA
00 00 96 - TLS1_CK_RSA_WITH_SEED_SHA
00 00 45 - TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
00 00 44 - TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
00 00 41 - TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA
03 00 80 - SSL2_CK_RC2_128_CBC_WITH_MD5
00 00 05 - SSL3_CK_RSA_RC4_128_SHA
00 00 04 - SSL3_CK_RSA_RC4_128_MD5
01 00 80 - SSL2_CK_RC4_128_WITH_MD5
00 00 15 - SSL3_CK_EDH_RSA_DES_64_CBC_SHA
00 00 12 - SSL3_CK_EDH_DSS_DES_64_CBC_SHA
00 00 09 - SSL3_CK_RSA_DES_64_CBC_SHA
06 00 40 - SSL_OP_MSIE_SSLV2_RSA_PADDING
00 00 14 - SSL3_CK_EDH_RSA_DES_40_CBC_SHA
00 00 11 - SSL3_CK_EDH_DSS_DES_40_CBC_SHA
00 00 08 - SSL3_CK_RSA_DES_40_CBC_SHA
00 00 06 - SSL3_CK_RSA_RC2_40_MD5
04 00 80 - SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5
00 00 03 - SSL3_CK_RSA_RC4_40_MD5
02 00 80 - SSL2_CK_RC4_128_EXPORT40_WITH_MD5

which contains (and prefers) several high grade cipher suites such as AES256/SHA (RC4/MD5, the best default NSS cipher suite, is twenty first on this list).

The net effect of this is everyone running with the defaults will just have had their encryption downgraded for them by this update.  We only happened to discover what was going on after much pain because our servers are configured to not make certain records available unless a high grade ciphers are being used.

Version-Release number of selected component (if applicable): 2.4.23

How reproducible: always

Steps to Reproduce:

1. in one terminal run "openssl s_server -nocert -port 10000 -msg"
2. in another terminal run "ldapsearch -H ldaps://localhost:10000"
3. decode the SSL 2.0 CLIENT_HELLO message in the first terminal according to

http://www.mozilla.org/projects/security/pki/nss/ssl/draft02.html

and you will get the above lists of cipher suites (Fedora 14 boxes will give you the first list, older Fedora versions will give you the second list).

Actual results:  The best cipher suite in the default NSS client list of supported ciphers is at best a medium grade cipher suite.

Expected results:  The default NSS client list of supported ciphers should contain at least one high quality cipher suite, and this cipher suite should appear first as the preferred cipher suite, as was the case with OpenSSL.

Additional info:

Note that I'm not reporting that I can't make the system work.  Indeed, specifying "TLS_CIPHER_SUITE HIGH" in ~/.ldaprc gives the following list

00 00 35 - TLS1_CK_RSA_WITH_AES_256_SHA
00 00 2f - TLS1_CK_RSA_WITH_AES_128_SHA
00 00 0a - SSL3_CK_RSA_DES_192_CBC3_SHA
00 00 ff - SSL3_CK_SCSV

which is sufficient for our purposes.  What I'm reporting is that the default ciphers were downgrade, and I suspect most Fedora 14 users will be blissfully unaware of this.  Perhaps this should be filed against NSS.

--- Additional comment from rmeggins on 2011-01-13 13:25:56 EST ---

So if openldap made the default cipher suite list TLS_CIPHER_SUITE HIGH, would that solve the problem, and make openldap with moznss work exactly like openldap with openssl?

--- Additional comment from twhitehead on 2011-01-13 23:05:37 EST ---

That would likely be better than the default of only use medium and low grade cipher suites.  It still wouldn't be technically equivalent though as then the client would only use high grade cipher suites.

I had a look at the OpenSSL LDAP library code (tls_m.c) and it looks like the best you can do without editing the code is to make ALL the default.  This gives a client list of

00 00 35 - TLS1_CK_RSA_WITH_AES_256_SHA
00 00 04 - SSL3_CK_RSA_RC4_128_MD5
00 00 05 - SSL3_CK_RSA_RC4_128_SHA
00 00 2f - TLS1_CK_RSA_WITH_AES_128_SHA
00 00 0a - SSL3_CK_RSA_DES_192_CBC3_SHA
00 00 09 - SSL3_CK_RSA_DES_64_CBC_SHA
00 00 64 - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
00 00 62 - TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
00 00 03 - SSL3_CK_RSA_RC4_40_MD5
00 00 06 - SSL3_CK_RSA_RC2_40_MD5
00 00 ff - SSL3_CK_SCSV

which, while not as extensive as the OpenSSL one, contains a reasonable subset of it and prefers the strongest suites.

Cheers!  -Tyson

PS:  From looking at the code, it seems this is not a limitation of NSS but rather the OpenLDAP NSS interface (tls_m.c), which uses a hard coded list, compared to the OpenSSL interface (tls_o.c), which queries the library.

--- Additional comment from rmeggins on 2011-01-14 17:12:57 EST ---

(In reply to comment #2)
> That would likely be better than the default of only use medium and low grade
> cipher suites.  It still wouldn't be technically equivalent though as then the
> client would only use high grade cipher suites.
> 
> I had a look at the OpenSSL LDAP library code (tls_m.c) and it looks like the
> best you can do without editing the code is to make ALL the default.  This
> gives a client list of
> 
> 00 00 35 - TLS1_CK_RSA_WITH_AES_256_SHA
> 00 00 04 - SSL3_CK_RSA_RC4_128_MD5
> 00 00 05 - SSL3_CK_RSA_RC4_128_SHA
> 00 00 2f - TLS1_CK_RSA_WITH_AES_128_SHA
> 00 00 0a - SSL3_CK_RSA_DES_192_CBC3_SHA
> 00 00 09 - SSL3_CK_RSA_DES_64_CBC_SHA
> 00 00 64 - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
> 00 00 62 - TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
> 00 00 03 - SSL3_CK_RSA_RC4_40_MD5
> 00 00 06 - SSL3_CK_RSA_RC2_40_MD5
> 00 00 ff - SSL3_CK_SCSV

I've made two changes:
1) if no cipher suite is specified, set it to "DEFAULT"
2) add more cipher suites to the list of default cipher suites

When I do this, I get the list specified above when running your commands.

> which, while not as extensive as the OpenSSL one, contains a reasonable subset
> of it and prefers the strongest suites.
> 
> Cheers!  -Tyson
> 
> PS:  From looking at the code, it seems this is not a limitation of NSS but
> rather the OpenLDAP NSS interface (tls_m.c), which uses a hard coded list,
> compared to the OpenSSL interface (tls_o.c), which queries the library.

We tried to keep the openldap tls settings exactly the same.  For the cipher suite specification, openldap uses the strings used internally by openssl - that is, it just passes the string directly to SSL_CTX_set_cipher_list().  NSS doesn't support those strings, so we have to manually convert the cipher spec strings.  We chose the most common and required cipher suites.  We can add more if needed.

--- Additional comment from rmeggins on 2011-01-14 19:19:58 EST ---

ITS and patch submitted upstream: http://www.openldap.org/its/index.cgi?findid=6790

Comment 2 Jan Vcelak 2011-01-20 18:31:36 UTC
Fixed in openldap-2.4.23-7.el6

Comment 3 Jan Vcelak 2011-01-20 18:55:46 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- Connecting to OpenLDAP server.
- After switching from OpenSSL to Mozilla NSS, client provides only a limited subset of cipher suites (the best with medium grade). From this reason encryption strength has dropped.
- More ciphers with better grade were added into default cipher suite list.
- OpenLDAP client now provides better cipher suites for stronger encryption support.

Comment 7 errata-xmlrpc 2011-05-19 13:59:50 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0673.html


Note You need to log in before you can comment on or make changes to this bug.