enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #05936
[Bug 1656979] [NEW] No support for DHE ciphers (TLS)
Public bug reported:
Hi,
Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS
does not support DHE cipher suites.
| hloeung@ldap-server:~$ apt-cache policy slapd
| slapd:
| Installed: 2.4.42+dfsg-2ubuntu3.1
| Candidate: 2.4.42+dfsg-2ubuntu3.1
| Version table:
| *** 2.4.42+dfsg-2ubuntu3.1 500
| 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
| 100 /var/lib/dpkg/status
| 2.4.42+dfsg-2ubuntu3 500
| 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
Our LDAP server is configured with the following:
| TLSCertificateFile /etc/ssl/certs/ldap-server.crt
| TLSCertificateKeyFile /etc/ssl/private/ldap-server.key
| TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt
| TLSProtocolMin 1.0
| TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE
| TLSDHParamFile /etc/ssl/private/dhparams.pem
I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but
thought I'd try anyways. cipherscan[1] shows the following list of
cipher suites:
| prio ciphersuite protocols pfs curves
| 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
Even with TLSCipherSuite config commented out, we see the following
cipher suites:
| prio ciphersuite protocols pfs curves
| 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 4 AES256-GCM-SHA384 TLSv1.2 None None
| 5 AES256-SHA256 TLSv1.2 None None
| 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None
| 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None
| 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 10 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 11 AES128-GCM-SHA256 TLSv1.2 None None
| 12 AES128-SHA256 TLSv1.2 None None
| 13 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None
| 14 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None
| 15 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 16 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None
I think the fix is in the patch below that's released in 2.4.39:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99
Thanks,
Haw
[1]https://github.com/jvehent/cipherscan
** Affects: openldap (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to openldap in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1656979
Title:
No support for DHE ciphers (TLS)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions
Follow ups
