[Expired for openldap (Ubuntu) because there has been no activity for 60
days.]
** Changed in: openldap (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1656979
Title:
No support for DHE ciphers (TLS)
Status in openldap package in Ubuntu:
Expired
Bug description:
Hi,
Seems the OpenLDAP shipped with Xenial (and prior) built against
GnuTLS does not support DHE cipher suites.
| hloeung@ldap-server:~$ apt-cache policy slapd
| slapd:
| Installed: 2.4.42+dfsg-2ubuntu3.1
| Candidate: 2.4.42+dfsg-2ubuntu3.1
| Version table:
| *** 2.4.42+dfsg-2ubuntu3.1 500
| 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
| 100 /var/lib/dpkg/status
| 2.4.42+dfsg-2ubuntu3 500
| 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
Our LDAP server is configured with the following:
| TLSCertificateFile /etc/ssl/certs/ldap-server.crt
| TLSCertificateKeyFile /etc/ssl/private/ldap-server.key
| TLSCACertificateFile /etc/ssl/certs/ldap-server_chain.crt
| TLSProtocolMin 1.0
| TLSCipherSuite
PFS:-VERS-SSL3.0:-DHE-DSS:-ARCFOUR-128:-3DES-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE
| TLSDHParamFile /etc/ssl/private/dhparams.pem
I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS,
but thought I'd try anyways. cipherscan[1] shows the following list of
cipher suites:
| prio ciphersuite protocols pfs
curves
| 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 4 ECDHE-RSA-AES128-SHA256 TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 6 ECDHE-RSA-AES256-SHA384 TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
Even with TLSCipherSuite config commented out, we see the following
cipher suites:
| prio ciphersuite protocols pfs
curves
| 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 2 ECDHE-RSA-AES256-SHA384 TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 4 AES256-GCM-SHA384 TLSv1.2 None
None
| 5 AES256-SHA256 TLSv1.2 None
None
| 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None
None
| 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None
None
| 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 9 ECDHE-RSA-AES128-SHA256 TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 10 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 11 AES128-GCM-SHA256 TLSv1.2 None
None
| 12 AES128-SHA256 TLSv1.2 None
None
| 13 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None
None
| 14 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None
None
| 15 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
ECDH,P-256,256bits prime192v1,secp224r1,prime256v1,secp384r1,secp521r1
| 16 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None
None
I think the fix is in the patch below that's released in 2.4.39:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=622d13a32ec8d623c26a11b60b63e443dc86df99
Thanks,
Haw
[1]https://github.com/jvehent/cipherscan
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
