[Touch-packages] [Bug 1591681] Re: Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd
Thanks for the report. Confirmed in trusty, but cannot reproduce in xenial. However, gnutls- serv in trusty does accept the flag. Can you please check whether this still happens for you on a more recent release, and whether your SSL tester actually reports the problem is fixed? ** Changed in: openldap (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1591681 Title: Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd Status in openldap package in Ubuntu: Incomplete Bug description: While securing our boxes, I noticed that testssl was flagging the absence of server cipher order: ./testssl.sh localhost:636 Has server cipher order? nope (NOT ok) While trying to set it using the following command, slapd just crashed: dapmodify -Y EXTERNAL -H ldapi:/// <<'EOF' dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: SECURE:-VERS-SSL3.0:-3DES-CBC:-ARCFOUR-128:%SERVER_PRECEDENCE - EOF Without the %SERVER_PRECEDENCE, it works. According to https://gnutls.org/manual/html_node/Priority-Strings.html and http://blog.lighttpd.net/articles/2013/06/01/mitigating-beast- with-gnutls/ this is indeed the proper setting to add server cipher order. Same issue happens with %FALLBACK_SCSV ("Downgrade attack prevention NOT supported"). There seems to be no setting to fix "Secure Client- Initiated Renegotiation". However, adding %SAFE_RENEGOTIATION (although not fixing anything) at least doesn't crash slapd 1) root@xl:~# lsb_release -rd Description:Ubuntu 14.04.4 LTS Release:14.04 2) root@xl:~# apt-cache policy slapd slapd: Installed: 2.4.31-1+nmu2ubuntu8.2 Candidate: 2.4.31-1+nmu2ubuntu8.2 Version table: *** 2.4.31-1+nmu2ubuntu8.2 0 500 http://be.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.31-1+nmu2ubuntu8 0 500 http://be.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 3) What I expected to happen: There should be a a way to enforce server cipher order in slapd, as well as protect against Client-Initiated Renegotiation and prevent downgrade attacks 4) What happened instead When trying to enable these settings that would make slapd more secure, it crashes (and after restart, the requested settings are still not enabled) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1591681/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1591681] Re: Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd
I tried it on Xenial, but now I get the following error whatever I do with LDAP: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: But, apart from that, trusty is a "long term support" release, and supposed to get security fixes until April 2019 ** Changed in: openldap (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1591681 Title: Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd Status in openldap package in Ubuntu: Confirmed Bug description: While securing our boxes, I noticed that testssl was flagging the absence of server cipher order: ./testssl.sh localhost:636 Has server cipher order? nope (NOT ok) While trying to set it using the following command, slapd just crashed: dapmodify -Y EXTERNAL -H ldapi:/// <<'EOF' dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: SECURE:-VERS-SSL3.0:-3DES-CBC:-ARCFOUR-128:%SERVER_PRECEDENCE - EOF Without the %SERVER_PRECEDENCE, it works. According to https://gnutls.org/manual/html_node/Priority-Strings.html and http://blog.lighttpd.net/articles/2013/06/01/mitigating-beast- with-gnutls/ this is indeed the proper setting to add server cipher order. Same issue happens with %FALLBACK_SCSV ("Downgrade attack prevention NOT supported"). There seems to be no setting to fix "Secure Client- Initiated Renegotiation". However, adding %SAFE_RENEGOTIATION (although not fixing anything) at least doesn't crash slapd 1) root@xl:~# lsb_release -rd Description:Ubuntu 14.04.4 LTS Release:14.04 2) root@xl:~# apt-cache policy slapd slapd: Installed: 2.4.31-1+nmu2ubuntu8.2 Candidate: 2.4.31-1+nmu2ubuntu8.2 Version table: *** 2.4.31-1+nmu2ubuntu8.2 0 500 http://be.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.31-1+nmu2ubuntu8 0 500 http://be.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 3) What I expected to happen: There should be a a way to enforce server cipher order in slapd, as well as protect against Client-Initiated Renegotiation and prevent downgrade attacks 4) What happened instead When trying to enable these settings that would make slapd more secure, it crashes (and after restart, the requested settings are still not enabled) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1591681/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1591681] Re: Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd
Oops, I was just missing the -H ldapi:/// along with the -Y EXTERNAL Now the following works (well, with slapd, not with the textarea on this site, WTF? :-( ): ldapmodify -Y EXTERNAL -H ldapi:/// <<'EOF' dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: SECURE:-VERS-SSL3.0:-3DES-CBC:-ARCFOUR-128:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION:%FALLBACK_SCSV EOF %SERVER_PRECEDENCE does fix the "server cipher order" => good However %FALLBACK_SCSV fails to fix "TLS_FALLBACK_SCSV (RFC 7507)" which now says "some unexpected "handshake failure" instead of "inappropriate fallback" (likely NOT ok)" Moreover, %SAFE_RENEGOTIATION fails to fix "Secure Client-Initiated Renegotiation", it still says VULNERABLE (NOT ok), DoS threat. Or maybe, there's a different setting needed for that? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1591681 Title: Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd Status in openldap package in Ubuntu: Confirmed Bug description: While securing our boxes, I noticed that testssl was flagging the absence of server cipher order: ./testssl.sh localhost:636 Has server cipher order? nope (NOT ok) While trying to set it using the following command, slapd just crashed: dapmodify -Y EXTERNAL -H ldapi:/// <<'EOF' dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: SECURE:-VERS-SSL3.0:-3DES-CBC:-ARCFOUR-128:%SERVER_PRECEDENCE - EOF Without the %SERVER_PRECEDENCE, it works. According to https://gnutls.org/manual/html_node/Priority-Strings.html and http://blog.lighttpd.net/articles/2013/06/01/mitigating-beast- with-gnutls/ this is indeed the proper setting to add server cipher order. Same issue happens with %FALLBACK_SCSV ("Downgrade attack prevention NOT supported"). There seems to be no setting to fix "Secure Client- Initiated Renegotiation". However, adding %SAFE_RENEGOTIATION (although not fixing anything) at least doesn't crash slapd 1) root@xl:~# lsb_release -rd Description:Ubuntu 14.04.4 LTS Release:14.04 2) root@xl:~# apt-cache policy slapd slapd: Installed: 2.4.31-1+nmu2ubuntu8.2 Candidate: 2.4.31-1+nmu2ubuntu8.2 Version table: *** 2.4.31-1+nmu2ubuntu8.2 0 500 http://be.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.31-1+nmu2ubuntu8 0 500 http://be.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 3) What I expected to happen: There should be a a way to enforce server cipher order in slapd, as well as protect against Client-Initiated Renegotiation and prevent downgrade attacks 4) What happened instead When trying to enable these settings that would make slapd more secure, it crashes (and after restart, the requested settings are still not enabled) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1591681/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp