I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6)
when attempting to disable SSLv3. I have compiled the servers with the
--with-tls=openssl option and communication appears to be working well
between servers to matter what I have for SSL Protocol. My problems are
with the clients.
For client configuration I install the openldap-clients package via yum
install. Everything works as expected with this setting on the server side:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2
as soon as I modify the +SSLv3 to -SSLv3 to this:
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
the client no longer works. I have tried just about everything I can
think of. I /can /get ldapsearch to work properly when I compile the
openldap source on the client but sssd / authentication on the Red Hat
side still fails. Here is the error message I am getting:
54481b75 slap_listener_activate(8):
54481b75 >>> slap_listener(ldaps://blah)
54481b75 connection_get(38): got connid=1009
54481b75 connection_read(38): checking for input on id=1009
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello C
TLS trace: SSL_accept:error in SSLv3 read client hello C
TLS: can't accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher.
54481b75 connection_read(38): TLS accept failure error=-1 id=1009, closing
54481b75 connection_close: conn=1009 sd=38
I am assuming this has something to do with RHEL clients linking to
MozNSS libraries instead of openssl but can not be sure of that. Again,
to be clear - I do not change anything but the olcTLSCipherSuite entry
so I do not believe it is a certificate issue.
Is there a solution to LDAP auth for RHEL clients with only allowind
TLSv1.2? I will gladly compile from source or use the LTB Project rpms.
Thanks in advance,
--
Peter Boguszewski
Manager of Library Systems
UW Madison - Library Technology Group
[email protected]
608.262.4768
