Port 389 and 636 are using old SSL I need to fix - ideas?

InterceptorF

New Member
Joined
May 1, 2017
Messages
3
Reaction score
0
Credits
0
389 handshake failure for SSL2 SSL3 and tls1.2 and

636 fails for SSL2 and TLS1.2 but does connect on SSL3.

Question:
What does it take to create new certs and apply them for ports 389 and 636? < syntax?



Here is what I have
Any insight on getting the cert to be assigned to the 389 and 636 ports would be helpful - thanks


1. create a private key :

root#] openssl genrsa -aes256 -out MayKey.key 2048

To review that key:

root]# cat MayKey.key

root#] openssl rsa -text -in MayKey.key

2.Create a Certificate signing request (CSR)

root#] openssl req -new -key MayKey.key -out MayKey.csr

If you want a field to be empty, you must enter a single dot (.) on the line, don't simply hit return.
hit Return. If you do, openSSL will populate the corresponding CSR field with the
default value.

3. Self-sign the CSR

root#] openssl x509 -req -days 365 -in MayKey.csr -signkey MayKey.key -out MayKey.crt

~~~~~~

So now when I look at the license for each port _ see the certificates :

[root@CX-node1 stornext]# openssl s_client -connect 10.20.232.71:443
CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Jose, O = StorNext Software, OU = Quantum Corp., CN = node-1.node-1
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = San Jose, O = StorNext Software, OU = Quantum Corp., CN = node-1.node-1
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=StorNext Software/OU=Quantum Corp./CN=node-1.node-1
i:/C=US/ST=California/L=San Jose/O=StorNext Software/OU=Quantum Corp./CN=node-1.node-1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIEFTIJsTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRowGAYD
VQQKExFTdG9yTmV4dCBTb2Z0d2FyZTEWMBQGA1UECxMNUXVhbnR1bSBDb3JwLjEW
MBQGA1UEAxMNbm9kZS0xLm5vZGUtMTAeFw0xNjAyMDExOTUxMzJaFw0yMTAxMzAx
OTUxMzJaMIGBMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoTEVN0b3JOZXh0IFNvZnR3YXJlMRYwFAYD
VQQLEw1RdWFudHVtIENvcnAuMRYwFAYDVQQDEw1ub2RlLTEubm9kZS0xMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiGK+KSgCY5Yclb1tVAIjfvgHKwS9
TecDggNtswqfaT0FxDC14eRINoYji6UgXOl2rvv0O7Q1ymi1h5EcTvfijA254Ek1
WrELTwVFSSCiNyGDTahzoUg7yaomru+wNPtq/CqLrsG7O1J9f/zdb9ZcUGQYZepr
W/6jOY70qfYx7TKxkE3qOrA4fxkJMzzcS78HxHCXKhanosKkE1gYpbs98GMDfQlM
IvdWUWzmh9ytjYWE/iQpL48Y0b6bPu6MnZsYKX9kePmy0X8tfg+0qOZDiArvwhCX
CsaQ14JgLnqWtkWNADlaU9lo0dZt7iq3SmeAe8Y0/BLcrkt4Sog7wMuMxwIDAQAB
oyEwHzAdBgNVHQ4EFgQUKEg1gz0L3r35Qz82OlNnzwxypXgwDQYJKoZIhvcNAQEL
BQADggEBAGWOSvnhi+OykrhNd34AZDr7VkjOQABTZD7R/qcA5Uzy9fYDnOIFcTsU
DWKe3ibI20fJDUpNJ7vertOL51DWh974fn1kU0FIFj38VFNJ4cvKdIHdrxbq0r1s
zCkdNpzhTiR4Udc2v7Moks4Qi0tHiYQRAfMduT1hFOinj/sbMELUuKXHssE7jmnv
ojAzaEN6aRhgecUlK8PaNoZMAZSMGAJzo0TxaawH3DqJotGA1AlPcIo4O9JjEg/M
1MQknHiYmLp0CP/tOdxkgbL8VgZEBLYn2wfw3A79llKGb8fuFjyW6ynFmkpBGdsZ
jc8e8l65hAXf4uj49hQDTJBmWBNX8Y8=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=StorNext Software/OU=Quantum Corp./CN=node-1.node-1
issuer=/C=US/ST=California/L=San Jose/O=StorNext Software/OU=Quantum Corp./CN=node-1.node-1
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1419 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256

Session-ID: 5910B06AB0959E2E9B0824A94239E357A854E2C1A689D31F1C67EF4F461F5605
Session-ID-ctx:
Master-Key: 31465BC30E37F2F852BDE084D15696C15C622CC6324FAAFD984D03B9F071C7302287159691882FEA68A8C496288514FF
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1494265946
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---

HEAD/ HTML/1.0
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 08 May 2017 17:54:50 GMT
Connection: close

0

closed







[root@CX-node1 stornext]#
[root@CX-node1 stornext]# clear
[root@CX-node1 stornext]# openssl s_client -connect 10.20.232.71:636
CONNECTED(00000003)
depth=1 CN = CAcert
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/DC=localdomain
i:/CN=CAcert
1 s:/CN=CAcert
i:/CN=CAcert
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBozCCAQygAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwETEPMA0GA1UEAxMGQ0Fj
ZXJ0MB4XDTE2MDIwMzE4MjYxOVoXDTI2MDIwMzE4MjYxOVowHTEbMBkGCgmSJomT
8ixkARkWC2xvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY
FKW12s7FwfjJJ3GoMQmOWpQEaXmcEUZor6sICqsDrBUod/NmYXOt2P03//lLhNiK
d0htRBYyCOctYneOyoQ8QSV00EVaSAC6XZ47ADzv1Jju/+dSLqxFIl7BWRIFfQsn
zgvU84302jcSSXWSd02QLHKgA5hP1OTs+ez/fjHyGQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBABu1WA/nkUfPNPUBWUVLu/nKXvUvwL5FaCSPB+AZ4Frus8TewC63eZLD
1sSkrF0kOYad/C4p8tR3ozwCVESgL7WVIk23H+4MwDm+9Hfkjnep2MEzhxVstee3
iNqYzwYPErR4K0JoDTOIAErZnOKe57lLIo27m5pZ1lxW4u0LH+SX
-----END CERTIFICATE-----
subject=/DC=localdomain
issuer=/CN=CAcert
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1205 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES128-SHA
Session-ID: 1EC5812437A5D92C5660BD0AE1BBBA4319F9E65160649D3CCAD326992BA79631
Session-ID-ctx:
Master-Key: 6873C6B143054330A02F24B250764E4F8D2F277DDF55CB3C96F8BD705A6D47D5CAF6B968BEC6A1C69F11C720A7FD6549
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1494266208
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---

^C


[root@CX-node1 stornext]# openssl s_client -connect 10.20.232.71:389
CONNECTED(00000003)
140349418448712:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1494266279
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@CX-node1 stornext]#
 


Do you need to just tell the ldap config where the new key lives so it can use the new one(s) you generated? Unless i'm misunderstanding what the issue is..

Rob
 
yep - that is where I am stumped... How do I tell ldap ( port 389) to use this protocol ( TLS1.2 ) and cipher ( AES-256) ?

I 've been looking around but not seeing what I am seeking ... Thanks for the input .
 
I'm far from an expert on LDAP (queried them but never set one up), but maybe these links will help:

Assuming you are using openLDAP:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_obsolete.html#5.0 - details configuration params for openLDAP and both client/server configs.

Specifically:
TLSCipherSuite cipher suite spec describes what ciphers will be accepted
TLSCACertificateFile filename file that contains the certificates of all trusted CA certs
TLSCACertificatePath directory directory containing CA certificates. Usually this or TLSCACertificateFile is used.
TLSCertificateFile filename server certificate filename
TLSCertificateKeyFile filename server private key filename


http://help.fortinet.com/fweb/554/Content/FortiWeb/fortiweb-admin/supported_cipher_suites.htm - Supported protocols for different cipher suites. Looks like yours should support TLSv1.2. Also helpful info on cipher suites in general.

Hope this helps
 
  • Like
Reactions: Rob

Members online


Top