[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
[Expired for openldap (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openldap (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: Expired Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 11AES128-GCM-SHA256TLSv1.2None None | 12AES128-SHA256TLSv1.2None None | 13AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 14CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 15ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 16DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None I think the fix is in the patch below that's released in 2.4.39: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99 Thanks, Haw [1]https://github.com/jvehent/cipherscan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help :
[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
** Changed in: openldap (Ubuntu) Status: Expired => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: Incomplete Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 11AES128-GCM-SHA256TLSv1.2None None | 12AES128-SHA256TLSv1.2None None | 13AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 14CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 15ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 16DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None I think the fix is in the patch below that's released in 2.4.39: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99 Thanks, Haw [1]https://github.com/jvehent/cipherscan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
[Expired for openldap (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openldap (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: Expired Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 11AES128-GCM-SHA256TLSv1.2None None | 12AES128-SHA256TLSv1.2None None | 13AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 14CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 15ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 16DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None I think the fix is in the patch below that's released in 2.4.39: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99 Thanks, Haw [1]https://github.com/jvehent/cipherscan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help :
[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
** Changed in: openldap (Ubuntu) Status: Expired => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: Incomplete Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 11AES128-GCM-SHA256TLSv1.2None None | 12AES128-SHA256TLSv1.2None None | 13AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 14CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 15ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 16DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None I think the fix is in the patch below that's released in 2.4.39: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99 Thanks, Haw [1]https://github.com/jvehent/cipherscan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
[Expired for openldap (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openldap (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: Expired Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 11AES128-GCM-SHA256TLSv1.2None None | 12AES128-SHA256TLSv1.2None None | 13AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 14CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 15ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 16DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None I think the fix is in the patch below that's released in 2.4.39: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99 Thanks, Haw [1]https://github.com/jvehent/cipherscan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help :
[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
** Changed in: openldap (Ubuntu) Status: Expired => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: Incomplete Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 11AES128-GCM-SHA256TLSv1.2None None | 12AES128-SHA256TLSv1.2None None | 13AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 14CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 15ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 16DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None I think the fix is in the patch below that's released in 2.4.39: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99 Thanks, Haw [1]https://github.com/jvehent/cipherscan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
[Expired for openldap (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openldap (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: Expired Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 11AES128-GCM-SHA256TLSv1.2None None | 12AES128-SHA256TLSv1.2None None | 13AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 14CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 15ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 16DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None I think the fix is in the patch below that's released in 2.4.39: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99 Thanks, Haw [1]https://github.com/jvehent/cipherscan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help :
[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
Hello Haw, openldap 2.4.45 is in artful now, so this should be fixed. could you please try your cipherscan again and confirm? Thanks! ** Changed in: openldap (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: Incomplete Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 11AES128-GCM-SHA256TLSv1.2None None | 12AES128-SHA256TLSv1.2None None | 13AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 14CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 15ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 16DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None I think the fix is in the patch below that's released in 2.4.39: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99 Thanks, Haw [1]https://github.com/jvehent/cipherscan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
Also: https://anonscm.debian.org/git/pkg- openldap/openldap.git/tree/libraries/libldap/tls_g.c#n317 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: New Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 11AES128-GCM-SHA256TLSv1.2None None | 12AES128-SHA256TLSv1.2None None | 13AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 14CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 15ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 16DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None I think the fix is in the patch below that's released in 2.4.39: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99 Thanks, Haw [1]https://github.com/jvehent/cipherscan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
Hmm, not too sure why that is. The version in Debian (and also Ubuntu) definitely doesn't include that patch: | $ chdist apt-get xenial source slapd | Reading package lists... Done | Picking 'openldap' as source package instead of 'slapd' | NOTICE: 'openldap' packaging is maintained in the 'Git' version control system at: | git://anonscm.debian.org/pkg-openldap/openldap.git | Please use: | git clone git://anonscm.debian.org/pkg-openldap/openldap.git | Need to get 4993 kB of source archives. | Get:1 http://archive.ubuntu.com/ubuntu xenial-updates/main openldap 2.4.42+dfsg-2ubuntu3.1 (dsc) [3040 B] | Get:2 http://archive.ubuntu.com/ubuntu xenial-updates/main openldap 2.4.42+dfsg-2ubuntu3.1 (tar) [4813 kB] | Get:3 http://archive.ubuntu.com/ubuntu xenial-updates/main openldap 2.4.42+dfsg-2ubuntu3.1 (diff) [177 kB] | Fetched 4993 kB in 14s (343 kB/s) | $ grep DH_BITS ./libraries/libldap/tls_g.c | #define DH_BITS (1024) | gnutls_dh_params_generate2(ctx->dh_params, DH_BITS); Via online source viewer also confirms this: https://anonscm.debian.org/git/pkg-openldap/openldap.git/tree/libraries/libldap/tls_g.c#n47 https://anonscm.debian.org/git/pkg-openldap/openldap.git/tree/libraries/libldap/tls_g.c#n294 ** Changed in: openldap (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: New Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)
Hello, I'm a bit confused. As you noted, Xenial (and on) have 2.4.42 as the base, but the fix you mention is in 2.4.39. So is it not fixed upstream? Or is this a result of the GnuTLS build? ** Changed in: openldap (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1656979 Title: No support for DHE ciphers (TLS) Status in openldap package in Ubuntu: Incomplete Bug description: Hi, Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites. | hloeung@ldap-server:~$ apt-cache policy slapd | slapd: | Installed: 2.4.42+dfsg-2ubuntu3.1 | Candidate: 2.4.42+dfsg-2ubuntu3.1 | Version table: | *** 2.4.42+dfsg-2ubuntu3.1 500 | 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages | 100 /var/lib/dpkg/status | 2.4.42+dfsg-2ubuntu3 500 | 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages Our LDAP server is configured with the following: | TLSCertificateFile /etc/ssl/certs/ldap-server.crt | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt | TLSProtocolMin 1.0 | TLSCipherSuite PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE | TLSDHParamFile /etc/ssl/private/dhparams.pem I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 Even with TLSCipherSuite config commented out, we see the following cipher suites: | prio ciphersuite protocols pfs curves | 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 4 AES256-GCM-SHA384TLSv1.2None None | 5 AES256-SHA256TLSv1.2None None | 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 10ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 11AES128-GCM-SHA256TLSv1.2None None | 12AES128-SHA256TLSv1.2None None | 13AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 14CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | 15ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1 | 16DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None I think the fix is in the patch below that's released in 2.4.39: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99 Thanks, Haw [1]https://github.com/jvehent/cipherscan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to :
