Re: ssl_cipher_list_to_bytes:no ciphers available

2021-05-04 Thread Howard Chu 
Michael Ströder wrote:
> HI!
> 
> I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release
> 2.5.4 when connecting to an 2.4 provider:
> 
> TLS: can't connect: error:141A90B5:SSL
> routines:ssl_cipher_list_to_bytes:no ciphers available.
> 
> An 2.4.58 consumer replica works just fine.
> 
> There is this commit in RE25 and I'm not sure whether that introduces a
> regression on my system:
> 
> b72bce2400ce303766f355a1dd37f4012754c942
> ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1
> 
> BTW: openSUSE has implemented something like a crypto policy configuration:
> 
> https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openssl-1.1.1-system-cipherlist.patch?expand=1
> 
> Any clue what's going on?

What ciphers have you configured on your client and server? What versions of 
OpenSSL are running on each?
> 
> Ciao, Michael.
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

ssl_cipher_list_to_bytes:no ciphers available

2021-05-04 Thread Michael Ströder 
HI!

I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release
2.5.4 when connecting to an 2.4 provider:

TLS: can't connect: error:141A90B5:SSL
routines:ssl_cipher_list_to_bytes:no ciphers available.

An 2.4.58 consumer replica works just fine.

There is this commit in RE25 and I'm not sure whether that introduces a
regression on my system:

b72bce2400ce303766f355a1dd37f4012754c942
ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1

BTW: openSUSE has implemented something like a crypto policy configuration:

https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openssl-1.1.1-system-cipherlist.patch?expand=1

Any clue what's going on?

Ciao, Michael.

Re: slapo-ppolicy 2.4 vs. 2.5

2021-05-04 Thread Ondřej Kuzník 
On Tue, May 04, 2021 at 12:07:20PM +0200, Michael Ströder wrote:
> Still I have failures in my draft-vchu-ldap-pwd-policy tests (see
> below). These might be related to ITS#9279, though I'm not sure. Any
> changes in this area?

Don't know, my guess is compare it with tests/scripts/test022-ppolicy
to see what the difference is between it and what you're doing.

Don't think this applies here, but a lot of ppolicy behaviour changes
based on whether you're classed as a "password administrator" (having
"manage" access to the password attribute on the entry), see ITS#7084
and the ppolicy draft. It it makes a difference, it's possible that some
of this is interfering, or that it's intentional, will probably have to
decide on a case by case basis.

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation   http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Re: slapo-ppolicy 2.4 vs. 2.5

2021-05-04 Thread Michael Ströder 
On 5/4/21 9:47 AM, Ondřej Kuzník wrote:
> On Sat, May 01, 2021 at 05:31:44PM +0200, Michael Ströder wrote:
>> slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in
>> python-ldap0 tests (see test output below).
>> [..]
>> AssertionError: 'Password expired! 1 grace logins left.' != 'Password
>> expired! 2 grace logins left.'
> 
> Does the count reported match the wording of the draft in section 6.2?
> [..]
> If not, please reopen ITS#7596 with a test case.

Thanks for pointing out ITS#7596. I've now updated my test to match the
new behaviour when running on OpenLDAP 2.5.

Still I have failures in my draft-vchu-ldap-pwd-policy tests (see
below). These might be related to ITS#9279, though I'm not sure. Any
changes in this area?

Ciao, Michael.

==
FAIL: test001_pwdpolicy_expiration (tests.test_ppolicy.TestPwdPolicy)
--
Traceback (most recent call last):
  File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 287, in test001_pwdpolicy_expiration
self.assertIsInstance(bind_res.ctrls[0], PasswordExpiringControl)
AssertionError:  is not an instance of 

==
FAIL: test002_pwdpolicy_expired (tests.test_ppolicy.TestPwdPolicy)
--
Traceback (most recent call last):
  File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
line 308, in test002_pwdpolicy_expired
l.simple_bind_s(self.user_dn, user_password.encode('utf-8'))
AssertionError: INVALID_CREDENTIALS not raised

Re: slapo-ppolicy 2.4 vs. 2.5

2021-05-04 Thread Ondřej Kuzník 
On Sat, May 01, 2021 at 05:31:44PM +0200, Michael Ströder wrote:
> HI!
> 
> slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in
> python-ldap0 tests (see test output below).
> 
> Tests:
> https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py
> 
> When working with Ondřej for solving ITS#9279 I finally "fixed" ldap0
> tests to accomodate the behaviour of OpenLDAP 2.4.x. I did not feel
> comfortable back then because it was not clear to me whether it was the
> correct fix.
> 
> Do you have any tests you could run against 2.4 and 2.5 to verify
> whether both have same behaviour?
> 
> Ciao, Michael.
> 
> ==
> FAIL: test003_ppolicy_grace_logins (tests.test_ppolicy.TestPPolicy)
> --
> Traceback (most recent call last):
>   File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py",
> line 235, in test003_ppolicy_grace_logins
> self.assertEqual(
> AssertionError: 'Password expired! 1 grace logins left.' != 'Password
> expired! 2 grace logins left.'
> - Password expired! 1 grace logins left.
> ?   ^
> + Password expired! 2 grace logins left.
> ?   ^

Does the count reported match the wording of the draft in section 6.2?

"""
The graceAuthNsRemaining warning specifies the remaining number of times
a user will be allowed to authenticate with an expired password.
"""

If not, please reopen ITS#7596 with a test case.

Thanks,

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation   http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP