← Back to team overview

touch-packages team mailing list archive

[Bug 1534230] Re: LDAP TLS connection stopped working

 

Hope this helps:

$ gnutls-cli -d 5 -p 636 xx.xx.xx.xx
Resolving 'xx.xx.xx.xx'...
Connecting to 'xx.xx.xx.xx:636'...
|<4>| REC[0x18dd150]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x18dd150]: Allocating epoch #1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x18dd150]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x18dd150]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x18dd150]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0x18dd150]: Sending extension SERVER NAME (17 bytes)
|<2>| EXT[0x18dd150]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x18dd150]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x18dd150]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x18dd150]: CLIENT HELLO was sent [137 bytes]
|<4>| REC[0x18dd150]: Sending Packet[0] Handshake(22) with length: 137
|<4>| REC[0x18dd150]: Sent Packet[1] Handshake(22) with length: 142
|<4>| REC[0x18dd150]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x18dd150]: Received Packet[0] Handshake(22) with length: 1828
|<4>| REC[0x18dd150]: Decrypted Packet[0] Handshake(22) with length: 1828
|<3>| HSK[0x18dd150]: SERVER HELLO was received [81 bytes]
|<3>| HSK[0x18dd150]: Server's version: 3.3
|<3>| HSK[0x18dd150]: SessionID length: 32
|<3>| HSK[0x18dd150]: SessionID: 2b0122b46beded9d4f13d425eec48fa6e98846a1196077633b78ba8d40e62caa
|<3>| HSK[0x18dd150]: Selected cipher suite: RSA_CAMELLIA_256_CBC_SHA1
|<2>| EXT[0x18dd150]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<3>| HSK[0x18dd150]: Safe renegotiation succeeded
|<3>| HSK[0x18dd150]: CERTIFICATE was received [1743 bytes]
|<2>| ASSERT: auth_cert.c:1127
|<2>| ASSERT: gnutls_kx.c:705
|<2>| ASSERT: gnutls_handshake.c:2777
*** Fatal error: The signature algorithm is not supported.
|<4>| REC: Sending Alert[2|40] - Handshake failed
|<4>| REC[0x18dd150]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x18dd150]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: The signature algorithm is not supported.
|<4>| REC[0x18dd150]: Epoch #0 freed
|<4>| REC[0x18dd150]: Epoch #1 freed

And more info:
$ gnutls-cli-debug -p 636 xx.xx.xx.xx
Resolving 'xx.xx.xx.xx'...
Connecting to 'xx.xx.xx.xx:636'...
Checking for SSL 3.0 support... yes
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
Checking fallback from TLS 1.1 to... N/A
Checking for TLS 1.2 support... no
Checking whether we need to disable TLS 1.0... N/A
Checking for Safe renegotiation support... yes
Checking for Safe renegotiation support (SCSV)... yes
Checking for HTTPS server name... not checked
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether the server ignores the RSA PMS version... no
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... yes
Checking for certificate information... N/A
Checking for trusted CAs... N/A
Checking whether the server understands TLS closure alerts... partially
Checking whether the server supports session resumption... yes
Checking for export-grade ciphersuite support... no
Checking RSA-export ciphersuite info... N/A
Checking for anonymous authentication support... no
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... no
Checking ephemeral Diffie-Hellman group info... N/A
Checking for AES cipher support (TLS extension)... yes
Checking for CAMELLIA cipher support (TLS extension)... yes
Checking for 3DES cipher support... yes
Checking for ARCFOUR 128 cipher support... no
Checking for ARCFOUR 40 cipher support... no
Checking for MD5 MAC support... no
Checking for SHA1 MAC support... yes
Checking for max record size (TLS extension)... no
Checking for OpenPGP authentication support (TLS extension)... no

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1534230

Title:
  LDAP TLS connection stopped working

Status in gnutls26 package in Ubuntu:
  Incomplete

Bug description:
  My LDAP authentication stopped working with the error: "The signature
  algorithm is not supported"

  This is GNUTLS Error code: -106
  GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM

  LDAP search reproduces it:

  $ ldapsearch -H ldaps://xxx.xxx.gov/ -b "OU=xxx" -x -d1
  ldap_url_parse_ext(ldaps://xxx.xxx.gov/)
  ldap_create
  ldap_url_parse_ext(ldaps://xxx.xxx.gov:636/??base)
  ldap_sasl_bind
  ldap_send_initial_request
  ldap_new_connection 1 1 0
  ldap_int_open_connection
  ldap_connect_to_host: TCP xxx.xxx.gov:636
  ldap_new_socket: 3
  ldap_prepare_socket: 3
  ldap_connect_to_host: Trying 128.219.164.41:636
  ldap_pvt_connect: fd: 3 tm: -1 async: 0
  TLS: can't connect: The signature algorithm is not supported..
  ldap_err2string
  ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

  It looks like the SHA1 support was removed from gnutls26...

  Other packages:
  ldap-utils:
  Version: 2.4.31-1+nmu2ubuntu8.2

  libsasl2-2:
  Version: 2.1.25.dfsg1-17build1

  libldap-2.4-2:
  Version: 2.4.31-1+nmu2ubuntu8.2

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: libgnutls26 2.12.23-12ubuntu2.4
  ProcVersionSignature: Ubuntu 3.13.0-75.119-generic 3.13.11-ckt32
  Uname: Linux 3.13.0-75-generic x86_64
  NonfreeKernelModules: fglrx
  ApportVersion: 2.14.1-0ubuntu3.19
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Thu Jan 14 11:38:36 2016
  InstallationDate: Installed on 2014-10-08 (462 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
  SourcePackage: gnutls26
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1534230/+subscriptions


References