[Bug 1591681] [NEW] Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd

AlainKnaff Sun, 12 Jun 2016 04:56:21 -0700

Public bug reported:

While securing our boxes, I noticed that testssl was flagging the
absence of server cipher order:



./testssl.sh localhost:636
 Has server cipher order?     nope (NOT ok)

While trying to set it using the following command, slapd just crashed:

dapmodify -Y EXTERNAL -H ldapi:/// <<'EOF'
dn: cn=config
changetype: modify
replace: olcTLSCipherSuite
olcTLSCipherSuite: SECURE:-VERS-SSL3.0:-3DES-CBC:-ARCFOUR-128:%SERVER_PRECEDENCE
-
EOF

Without the %SERVER_PRECEDENCE, it works.

According to https://gnutls.org/manual/html_node/Priority-Strings.html
and http://blog.lighttpd.net/articles/2013/06/01/mitigating-beast-with-
gnutls/ this is indeed the proper setting to add server cipher order.

Same issue happens with %FALLBACK_SCSV ("Downgrade attack prevention NOT
supported"). There seems to be no setting to fix "Secure Client-
Initiated Renegotiation".

However, adding %SAFE_RENEGOTIATION (although not fixing anything) at
least doesn't crash slapd


1) root@xl:~# lsb_release -rd
Description:    Ubuntu 14.04.4 LTS
Release:        14.04
2) root@xl:~# apt-cache policy slapd
slapd:
  Installed: 2.4.31-1+nmu2ubuntu8.2
  Candidate: 2.4.31-1+nmu2ubuntu8.2
  Version table:
 *** 2.4.31-1+nmu2ubuntu8.2 0
        500 http://be.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 
Packages
        100 /var/lib/dpkg/status
     2.4.31-1+nmu2ubuntu8 0
        500 http://be.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
3) What I expected to happen:

There should be a a way to enforce server cipher order in slapd, as well
as protect against Client-Initiated Renegotiation and prevent downgrade
attacks

4) What happened instead

When trying to enable these settings that would make slapd more secure,
it crashes (and after restart, the requested settings are still not
enabled)

** Affects: openldap (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1591681

Title:
  Impossible to configure GnuTLS'  %SERVER_PRECEDENCE setting in slapd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1591681/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1591681] [NEW] Impossible to configure GnuTLS' %SERVER_PRECEDENCE setting in slapd

Reply via email to