|
I am running into issues on RHEL 6.x servers (mix of 6.5 and now
6.6) when attempting to disable SSLv3. I have compiled the servers
with the --with-tls=openssl option and communication appears to be
working well between servers to matter what I have for SSL
Protocol. My problems are with the clients. For client configuration I install the openldap-clients package via yum install. Everything works as expected with this setting on the server side: olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2 as soon as I modify the +SSLv3 to -SSLv3 to this: olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2 the client no longer works. I have tried just about everything I can think of. I can get ldapsearch to work properly when I compile the openldap source on the client but sssd / authentication on the Red Hat side still fails. Here is the error message I am getting: 54481b75 slap_listener_activate(8): 54481b75 >>> slap_listener(ldaps://blah) 54481b75 connection_get(38): got connid=1009 54481b75 connection_read(38): checking for input on id=1009 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client hello C TLS trace: SSL_accept:error in SSLv3 read client hello C TLS: can't accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher. 54481b75 connection_read(38): TLS accept failure error=-1 id=1009, closing 54481b75 connection_close: conn=1009 sd=38 I am assuming this has something to do with RHEL clients linking to MozNSS libraries instead of openssl but can not be sure of that. Again, to be clear - I do not change anything but the olcTLSCipherSuite entry so I do not believe it is a certificate issue. Is there a solution to LDAP auth for RHEL clients with only allowind TLSv1.2? I will gladly compile from source or use the LTB Project rpms. Thanks in advance, -- Peter Boguszewski Manager of Library Systems UW Madison - Library Technology Group pboguszewski@library.wisc.edu 608.262.4768 |