No support for DHE ciphers (TLS)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hi,
Seems the OpenLDAP shipped with Xenial (and prior) built against GnuTLS does not support DHE cipher suites.
| hloeung@
| slapd:
| Installed: 2.4.42+
| Candidate: 2.4.42+
| Version table:
| *** 2.4.42+
| 500 http://
| 100 /var/lib/
| 2.4.42+
| 500 http://
Our LDAP server is configured with the following:
| TLSCertificateFile /etc/ssl/
| TLSCertificateK
| TLSCACertificat
| TLSProtocolMin 1.0
| TLSCipherSuite PFS:-VERS-
| TLSDHParamFile /etc/ssl/
I know TLSDHParamFile isn't used by OpenLDAP when built with GnuTLS, but thought I'd try anyways. cipherscan[1] shows the following list of cipher suites:
| prio ciphersuite protocols pfs curves
| 1 ECDHE-RSA-
| 2 ECDHE-RSA-
| 3 ECDHE-RSA-
| 4 ECDHE-RSA-
| 5 ECDHE-RSA-
| 6 ECDHE-RSA-
Even with TLSCipherSuite config commented out, we see the following cipher suites:
| prio ciphersuite protocols pfs curves
| 1 ECDHE-RSA-
| 2 ECDHE-RSA-
| 3 ECDHE-RSA-
| 4 AES256-GCM-SHA384 TLSv1.2 None None
| 5 AES256-SHA256 TLSv1.2 None None
| 6 AES256-SHA TLSv1,TLSv1.
| 7 CAMELLIA256-SHA TLSv1,TLSv1.
| 8 ECDHE-RSA-
| 9 ECDHE-RSA-
| 10 ECDHE-RSA-
| 11 AES128-GCM-SHA256 TLSv1.2 None None
| 12 AES128-SHA256 TLSv1.2 None None
| 13 AES128-SHA TLSv1,TLSv1.
| 14 CAMELLIA128-SHA TLSv1,TLSv1.
| 15 ECDHE-RSA-
| 16 DES-CBC3-SHA TLSv1,TLSv1.
I think the fix is in the patch below that's released in 2.4.39:
Thanks,
Haw
Changed in openldap (Ubuntu): | |
status: | Expired → Incomplete |
Changed in openldap (Ubuntu): | |
status: | Incomplete → Expired |
Changed in openldap (Ubuntu): | |
status: | Expired → Incomplete |
Changed in openldap (Ubuntu): | |
status: | Incomplete → Expired |
Changed in openldap (Ubuntu): | |
status: | Expired → Incomplete |
Changed in openldap (Ubuntu): | |
status: | Incomplete → Expired |
Hello, I'm a bit confused. As you noted, Xenial (and on) have 2.4.42 as the base, but the fix you mention is in 2.4.39. So is it not fixed upstream? Or is this a result of the GnuTLS build?