Le 05/11/2018 13:48, Stuart Henderson a écrit :
On 2018-11-05, Joel Carnat <[email protected]> wrote:
Hi,
I'm using ldap(1) to query a remote Synology Directory Server
(OpenLDAP
2.4.x).
Unfortunately, it fails saying:
TLS failed: handshake failed: error:14004410:SSL
routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
ldap: LDAP connection failed
When I use the OpenLDAP ldapsearch, same arguments, I succeeds.
Using openssl s_client, I could confirm that the OpenLDAP server
accept
TLS:
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
(...)
If this were a cert problem you'd get a message like this from ldap(1)
TLS failed: certificate verification failed: unable to get local
issuer certificate
ldap: LDAP connection failed
or
TLS failed: name `XX' not present in server certificate
So it's not that.
ldap(1) uses libtls which defaults to only allowing secure ciphers,
specifically TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE.
ldap(1) doesn't provide a way to weaken that, though you could add
a call to tls_config_set_ciphers(tls_config, "compat") in
ldapc_connect()
to test if it would work.
Or an s_client command that would force these ciphers:
openssl s_client -cipher TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE -CAfile
/etc/ssl/cert.pem -connect $hostname:636
If not, perhaps the Synology box is using old OpenSSL without support
for these ciphers, or perhaps the cipher config is forcing only old
ciphers. FWIW this is what I am currently using on OpenBSD slapd:
olcTLSCipherSuite: TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE
olcTLSCipherSuite is, by default, empty.
I could change it to
"HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:@STRENGTH:+SHA:+MD5:!NULL" which
doesn't solve the problem.
When I try to set it as yours, it says:
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
From OpenBSD, the openssl commands returns:
CONNECTED(00000003)
13559346237984:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3
alert handshake failure:/usr/src/lib/libssl/ssl_pkt.c:1200:SSL alert
number 40
13559346237984:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl
handshake failure:/usr/src/lib/libssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1541425938
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
On the syno, I can see:
# openssl version
OpenSSL 1.0.2o-fips 27 Mar 2018
# openssl ciphers -v TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE
Error in cipher list
139812538357392:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl_lib.c:1383:
Does this definitively indicates "ldap search" won't work with
OpenLDAP/OpenSSL shipped in Synology DSM ?
