Thanks for the report.
Confirmed in trusty, but cannot reproduce in xenial. However, gnutls-
serv in trusty does accept the flag.
Can you please check whether this still happens for you on a more recent
release, and whether your SSL tester actually reports the problem is
fixed?
** Changed in: openldap (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1591681
Title:
Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd
Status in openldap package in Ubuntu:
Incomplete
Bug description:
While securing our boxes, I noticed that testssl was flagging the
absence of server cipher order:
./testssl.sh localhost:636
Has server cipher order? nope (NOT ok)
While trying to set it using the following command, slapd just
crashed:
dapmodify -Y EXTERNAL -H ldapi:/// <<'EOF'
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite:
SECURE:-VERS-SSL3.0:-3DES-CBC:-ARCFOUR-128:%SERVER_PRECEDENCE
-
EOF
Without the %SERVER_PRECEDENCE, it works.
According to https://gnutls.org/manual/html_node/Priority-Strings.html
and http://blog.lighttpd.net/articles/2013/06/01/mitigating-beast-
with-gnutls/ this is indeed the proper setting to add server cipher
order.
Same issue happens with %FALLBACK_SCSV ("Downgrade attack prevention
NOT supported"). There seems to be no setting to fix "Secure Client-
Initiated Renegotiation".
However, adding %SAFE_RENEGOTIATION (although not fixing anything) at
least doesn't crash slapd
1) root@xl:~# lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
2) root@xl:~# apt-cache policy slapd
slapd:
Installed: 2.4.31-1+nmu2ubuntu8.2
Candidate: 2.4.31-1+nmu2ubuntu8.2
Version table:
*** 2.4.31-1+nmu2ubuntu8.2 0
500 http://be.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64
Packages
100 /var/lib/dpkg/status
2.4.31-1+nmu2ubuntu8 0
500 http://be.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
3) What I expected to happen:
There should be a a way to enforce server cipher order in slapd, as
well as protect against Client-Initiated Renegotiation and prevent
downgrade attacks
4) What happened instead
When trying to enable these settings that would make slapd more
secure, it crashes (and after restart, the requested settings are
still not enabled)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1591681/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
