[Touch-packages] [Bug 1591681] Re: Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd

AlainKnaff Sun, 12 Jun 2016 15:26:22 -0700

I tried it on Xenial, but now I get the following error whatever I do
with LDAP:


SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available:

But, apart from that, trusty is a "long term support" release, and
supposed to get security fixes until April 2019


** Changed in: openldap (Ubuntu)
       Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1591681

Title:
  Impossible to configure GnuTLS'  %SERVER_PRECEDENCE setting in slapd

Status in openldap package in Ubuntu:
  Confirmed

Bug description:
  While securing our boxes, I noticed that testssl was flagging the
  absence of server cipher order:

  
  ./testssl.sh localhost:636
   Has server cipher order?     nope (NOT ok)

  While trying to set it using the following command, slapd just
  crashed:

  dapmodify -Y EXTERNAL -H ldapi:/// <<'EOF'
  dn: cn=config
  changetype: modify
  replace: olcTLSCipherSuite
  olcTLSCipherSuite: 
SECURE:-VERS-SSL3.0:-3DES-CBC:-ARCFOUR-128:%SERVER_PRECEDENCE
  -
  EOF

  Without the %SERVER_PRECEDENCE, it works.

  According to https://gnutls.org/manual/html_node/Priority-Strings.html
  and http://blog.lighttpd.net/articles/2013/06/01/mitigating-beast-
  with-gnutls/ this is indeed the proper setting to add server cipher
  order.

  Same issue happens with %FALLBACK_SCSV ("Downgrade attack prevention
  NOT supported"). There seems to be no setting to fix "Secure Client-
  Initiated Renegotiation".

  However, adding %SAFE_RENEGOTIATION (although not fixing anything) at
  least doesn't crash slapd

  
  1) root@xl:~# lsb_release -rd
  Description:    Ubuntu 14.04.4 LTS
  Release:        14.04
  2) root@xl:~# apt-cache policy slapd
  slapd:
    Installed: 2.4.31-1+nmu2ubuntu8.2
    Candidate: 2.4.31-1+nmu2ubuntu8.2
    Version table:
   *** 2.4.31-1+nmu2ubuntu8.2 0
          500 http://be.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
          500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 
Packages
          100 /var/lib/dpkg/status
       2.4.31-1+nmu2ubuntu8 0
          500 http://be.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  3) What I expected to happen:

  There should be a a way to enforce server cipher order in slapd, as
  well as protect against Client-Initiated Renegotiation and prevent
  downgrade attacks

  4) What happened instead

  When trying to enable these settings that would make slapd more
  secure, it crashes (and after restart, the requested settings are
  still not enabled)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1591681/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1591681] Re: Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd

Reply via email to