[Touch-packages] [Bug 1656979] Re: No support for DHE ciphers (TLS)

Fri, 10 Feb 2017 10:22:25 -0800 

Hello, I'm a bit confused. As you noted, Xenial (and on) have 2.4.42 as
the base, but the fix you mention is in 2.4.39. So is it not fixed
upstream? Or is this a result of the GnuTLS build?

** Changed in: openldap (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1656979

Title:
  No support for DHE ciphers (TLS)

Status in openldap package in Ubuntu:
  Incomplete

Bug description:
  Hi,

  Seems the OpenLDAP shipped with Xenial (and prior) built against
  GnuTLS does not support DHE cipher suites.

  | hloeung@ldap-server:~$ apt-cache policy slapd
  | slapd:
  |   Installed: 2.4.42+dfsg-2ubuntu3.1
  |   Candidate: 2.4.42+dfsg-2ubuntu3.1
  |   Version table:
  |  *** 2.4.42+dfsg-2ubuntu3.1 500
  |         500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  |         100 /var/lib/dpkg/status
  |      2.4.42+dfsg-2ubuntu3 500
  |         500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

  Our LDAP server is configured with the following:

  | TLSCertificateFile /etc/ssl/certs/ldap-server.crt
  | TLSCertificateKeyFile /etc/ssl/private/ldap-server.key
  | TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt
  | TLSProtocolMin 1.0
  | TLSCipherSuite 
PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE
  | TLSDHParamFile /etc/ssl/private/dhparams.pem

  I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS,
  but thought I'd try anyways. cipherscan[1] shows the following list of
  cipher suites:

  | prio  ciphersuite                  protocols              pfs               
  curves
  | 1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 3     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 4     ECDHE-RSA-AES128-SHA256      TLSv1.2                
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 5     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 6     ECDHE-RSA-AES256-SHA384      TLSv1.2                
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1

  Even with TLSCipherSuite config commented out, we see the following
  cipher suites:

  | prio  ciphersuite                  protocols              pfs               
  curves
  | 1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 2     ECDHE-RSA-AES256-SHA384      TLSv1.2                
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 4     AES256-GCM-SHA384            TLSv1.2                None              
  None
  | 5     AES256-SHA256                TLSv1.2                None              
  None
  | 6     AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None              
  None
  | 7     CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  None              
  None
  | 8     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 9     ECDHE-RSA-AES128-SHA256      TLSv1.2                
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 10    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 11    AES128-GCM-SHA256            TLSv1.2                None              
  None
  | 12    AES128-SHA256                TLSv1.2                None              
  None
  | 13    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None              
  None
  | 14    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  None              
  None
  | 15    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  
ECDH,P-256,256bits  prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
  | 16    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None              
  None

  I think the fix is in the patch below that's released in 2.4.39:

  
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99

  
  Thanks,

  Haw

  
  [1]https://github.com/jvehent/cipherscan

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to