← Back to team overview

enterprise-support team mailing list archive

[Bug 1591681] [NEW] Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd

 

Public bug reported:

While securing our boxes, I noticed that testssl was flagging the
absence of server cipher order:


./testssl.sh localhost:636
 Has server cipher order?     nope (NOT ok)

While trying to set it using the following command, slapd just crashed:

dapmodify -Y EXTERNAL -H ldapi:/// <<'EOF'
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: SECURE:-VERS-SSL3.0:-3DES-CBC:-ARCFOUR-128:%SERVER_PRECEDENCE
-
EOF

Without the %SERVER_PRECEDENCE, it works.

According to https://gnutls.org/manual/html_node/Priority-Strings.html
and http://blog.lighttpd.net/articles/2013/06/01/mitigating-beast-with-
gnutls/ this is indeed the proper setting to add server cipher order.

Same issue happens with %FALLBACK_SCSV ("Downgrade attack prevention NOT
supported"). There seems to be no setting to fix "Secure Client-
Initiated Renegotiation".

However, adding %SAFE_RENEGOTIATION (although not fixing anything) at
least doesn't crash slapd


1) root@xl:~# lsb_release -rd
Description:    Ubuntu 14.04.4 LTS
Release:        14.04
2) root@xl:~# apt-cache policy slapd
slapd:
  Installed: 2.4.31-1+nmu2ubuntu8.2
  Candidate: 2.4.31-1+nmu2ubuntu8.2
  Version table:
 *** 2.4.31-1+nmu2ubuntu8.2 0
        500 http://be.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.31-1+nmu2ubuntu8 0
        500 http://be.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
3) What I expected to happen:

There should be a a way to enforce server cipher order in slapd, as well
as protect against Client-Initiated Renegotiation and prevent downgrade
attacks

4) What happened instead

When trying to enable these settings that would make slapd more secure,
it crashes (and after restart, the requested settings are still not
enabled)

** Affects: openldap (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to openldap in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1591681

Title:
  Impossible to configure GnuTLS'  %SERVER_PRECEDENCE setting in slapd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1591681/+subscriptions