Bug#473796: [Pkg-openldap-devel] Bug#473796: Bug#473796: TLS fails completely
On Sun, Jul 27, 2008 at 10:22:48PM +0200, Petter Reinholdtsen wrote: tags 473796 + patch thanks Here is what I believe is the correct patch to solve this problem. It is from upstream. I'm testing this patch in Debian Edu now. Did you see that this bug is already tagged 'pending'? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473796: [Pkg-openldap-devel] Bug#473796: Bug#473796: TLS fails completely
--On Sunday, June 29, 2008 1:12 AM -0700 Steve Langasek [EMAIL PROTECTED] wrote: I.e., the TLS SSF is 32. So no value 32 will ever work. This suggests to me that the SSF values haven't been properly normalized for GNUtls. Doesn't the 128 mean, roughly, a symmetric cipher with keylength of 128? Surely the user's TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1 should satisfy this? The GnuTLS library is what reports back the SSF value. It may be worthwhile to discuss with them why their values are so low. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473796: [Pkg-openldap-devel] Bug#473796: Bug#473796: TLS fails completely
--On Monday, June 30, 2008 2:26 PM -0700 Quanah Gibson-Mount [EMAIL PROTECTED] wrote: This suggests to me that the SSF values haven't been properly normalized for GNUtls. Doesn't the 128 mean, roughly, a symmetric cipher with keylength of 128? Surely the user's TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1 should satisfy this? The GnuTLS library is what reports back the SSF value. It may be worthwhile to discuss with them why their values are so low. Scratch that, it is an OpenLDAP conversion bug. I'll file an ITS on it and report back. http://www.openldap.org/its/index.cgi/?findid=5585 --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473796: [Pkg-openldap-devel] Bug#473796: Bug#473796: TLS fails completely
--On Monday, June 30, 2008 2:22 PM -0700 Quanah Gibson-Mount [EMAIL PROTECTED] wrote: --On Sunday, June 29, 2008 1:12 AM -0700 Steve Langasek [EMAIL PROTECTED] wrote: I.e., the TLS SSF is 32. So no value 32 will ever work. This suggests to me that the SSF values haven't been properly normalized for GNUtls. Doesn't the 128 mean, roughly, a symmetric cipher with keylength of 128? Surely the user's TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1 should satisfy this? The GnuTLS library is what reports back the SSF value. It may be worthwhile to discuss with them why their values are so low. Scratch that, it is an OpenLDAP conversion bug. I'll file an ITS on it and report back. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473796: [Pkg-openldap-devel] Bug#473796: Bug#473796: TLS fails completely
--On Monday, June 30, 2008 2:29 PM -0700 Quanah Gibson-Mount [EMAIL PROTECTED] wrote: --On Monday, June 30, 2008 2:26 PM -0700 Quanah Gibson-Mount [EMAIL PROTECTED] wrote: This suggests to me that the SSF values haven't been properly normalized for GNUtls. Doesn't the 128 mean, roughly, a symmetric cipher with keylength of 128? Surely the user's TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1 should satisfy this? The GnuTLS library is what reports back the SSF value. It may be worthwhile to discuss with them why their values are so low. Scratch that, it is an OpenLDAP conversion bug. I'll file an ITS on it and report back. http://www.openldap.org/its/index.cgi/?findid=5585 Fixed: Update of /repo/OpenLDAP/pkg/ldap/libraries/libldap Modified Files: tls.c 1.160 - 1.161 Log Message: ITS#5585 GnuTLS key strength is in bytes, we expected bits CVS Web URLs: http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/ http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls.c -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#473796: [Pkg-openldap-devel] Bug#473796: Bug#473796: TLS fails completely
On Thu, Apr 03, 2008 at 12:28:56PM -0700, Quanah Gibson-Mount wrote: ok, more testing, more news: now with the slapd 2.4.7 package (with gnutls) this seems to force client-certs, too. a TLS query without client-cert won't work - but commenting the 'security' line out results in working TLS and working non-TLS queries. The default behavior when TLS is enabled is TLSVerifyClient never; 2.4.7 did have a bug related to this, but this was resolved in the 2.4.7-5 package. well it seems to me like with gnutls the 'security tls=' value controls the tls reqirements, TLSVerifyClient is (more or less?) ignored. but i could be missing something ofc... all queries done with a server cert and without a client cert: security tls=128 TLSVerifyClient never ldapsearch fails (TLS confidentiality required) ldapsearch -ZZ fails (stronger TLS confidentiality required) This will always fail as long as the keystrength of the cert in question is so low. It states quite clearly in your log: conn=0 fd=12 TLS established tls_ssf=32 ssf=32 I.e., the TLS SSF is 32. So no value 32 will ever work. This suggests to me that the SSF values haven't been properly normalized for GNUtls. Doesn't the 128 mean, roughly, a symmetric cipher with keylength of 128? Surely the user's TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1 should satisfy this? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]