Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd please sign up again. Thanks!

Port 389 and 636 are using old SSL I need to fix - ideas?

Discussion in 'Linux Security' started by InterceptorF, May 8, 2017.

Tags:
  1. InterceptorF

    InterceptorF New Member

    Joined:
    May 1, 2017
    Messages:
    3
    Likes Received:
    0
    389 handshake failure for SSL2 SSL3 and tls1.2 and

    636 fails for SSL2 and TLS1.2 but does connect on SSL3.

    Question:
    What does it take to create new certs and apply them for ports 389 and 636? < syntax?



    Here is what I have
    Any insight on getting the cert to be assigned to the 389 and 636 ports would be helpful - thanks


    1. create a private key :

    root#] openssl genrsa -aes256 -out MayKey.key 2048

    To review that key:

    root]# cat MayKey.key

    root#] openssl rsa -text -in MayKey.key

    2.Create a Certificate signing request (CSR)

    root#] openssl req -new -key MayKey.key -out MayKey.csr

    If you want a field to be empty, you must enter a single dot (.) on the line, don't simply hit return.
    hit Return. If you do, openSSL will populate the corresponding CSR field with the
    default value.

    3. Self-sign the CSR

    root#] openssl x509 -req -days 365 -in MayKey.csr -signkey MayKey.key -out MayKey.crt

    ~~~~~~

    So now when I look at the license for each port _ see the certificates :

    [root@CX-node1 stornext]# openssl s_client -connect 10.20.232.71:443
    CONNECTED(00000003)
    depth=0 C = US, ST = California, L = San Jose, O = StorNext Software, OU = Quantum Corp., CN = node-1.node-1
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = US, ST = California, L = San Jose, O = StorNext Software, OU = Quantum Corp., CN = node-1.node-1
    verify return:1
    ---
    Certificate chain
    0 s:/C=US/ST=California/L=San Jose/O=StorNext Software/OU=Quantum Corp./CN=node-1.node-1
    i:/C=US/ST=California/L=San Jose/O=StorNext Software/OU=Quantum Corp./CN=node-1.node-1
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDozCCAougAwIBAgIEFTIJsTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMC
    VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRowGAYD
    VQQKExFTdG9yTmV4dCBTb2Z0d2FyZTEWMBQGA1UECxMNUXVhbnR1bSBDb3JwLjEW
    MBQGA1UEAxMNbm9kZS0xLm5vZGUtMTAeFw0xNjAyMDExOTUxMzJaFw0yMTAxMzAx
    OTUxMzJaMIGBMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
    A1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoTEVN0b3JOZXh0IFNvZnR3YXJlMRYwFAYD
    VQQLEw1RdWFudHVtIENvcnAuMRYwFAYDVQQDEw1ub2RlLTEubm9kZS0xMIIBIjAN
    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiGK+KSgCY5Yclb1tVAIjfvgHKwS9
    TecDggNtswqfaT0FxDC14eRINoYji6UgXOl2rvv0O7Q1ymi1h5EcTvfijA254Ek1
    WrELTwVFSSCiNyGDTahzoUg7yaomru+wNPtq/CqLrsG7O1J9f/zdb9ZcUGQYZepr
    W/6jOY70qfYx7TKxkE3qOrA4fxkJMzzcS78HxHCXKhanosKkE1gYpbs98GMDfQlM
    IvdWUWzmh9ytjYWE/iQpL48Y0b6bPu6MnZsYKX9kePmy0X8tfg+0qOZDiArvwhCX
    CsaQ14JgLnqWtkWNADlaU9lo0dZt7iq3SmeAe8Y0/BLcrkt4Sog7wMuMxwIDAQAB
    oyEwHzAdBgNVHQ4EFgQUKEg1gz0L3r35Qz82OlNnzwxypXgwDQYJKoZIhvcNAQEL
    BQADggEBAGWOSvnhi+OykrhNd34AZDr7VkjOQABTZD7R/qcA5Uzy9fYDnOIFcTsU
    DWKe3ibI20fJDUpNJ7vertOL51DWh974fn1kU0FIFj38VFNJ4cvKdIHdrxbq0r1s
    zCkdNpzhTiR4Udc2v7Moks4Qi0tHiYQRAfMduT1hFOinj/sbMELUuKXHssE7jmnv
    ojAzaEN6aRhgecUlK8PaNoZMAZSMGAJzo0TxaawH3DqJotGA1AlPcIo4O9JjEg/M
    1MQknHiYmLp0CP/tOdxkgbL8VgZEBLYn2wfw3A79llKGb8fuFjyW6ynFmkpBGdsZ
    jc8e8l65hAXf4uj49hQDTJBmWBNX8Y8=
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=San Jose/O=StorNext Software/OU=Quantum Corp./CN=node-1.node-1
    issuer=/C=US/ST=California/L=San Jose/O=StorNext Software/OU=Quantum Corp./CN=node-1.node-1
    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 1419 bytes and written 415 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES128-GCM-SHA256

    Session-ID: 5910B06AB0959E2E9B0824A94239E357A854E2C1A689D31F1C67EF4F461F5605
    Session-ID-ctx:
    Master-Key: 31465BC30E37F2F852BDE084D15696C15C622CC6324FAAFD984D03B9F071C7302287159691882FEA68A8C496288514FF
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1494265946
    Timeout : 300 (sec)
    Verify return code: 18 (self signed certificate)
    ---

    HEAD/ HTML/1.0
    HTTP/1.1 400 Bad Request
    Server: Apache-Coyote/1.1
    Transfer-Encoding: chunked
    Date: Mon, 08 May 2017 17:54:50 GMT
    Connection: close

    0

    closed







    [root@CX-node1 stornext]#
    [root@CX-node1 stornext]# clear
    [root@CX-node1 stornext]# openssl s_client -connect 10.20.232.71:636
    CONNECTED(00000003)
    depth=1 CN = CAcert
    verify error:num=19:self signed certificate in certificate chain
    ---
    Certificate chain
    0 s:/DC=localdomain
    i:/CN=CAcert
    1 s:/CN=CAcert
    i:/CN=CAcert
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIBozCCAQygAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwETEPMA0GA1UEAxMGQ0Fj
    ZXJ0MB4XDTE2MDIwMzE4MjYxOVoXDTI2MDIwMzE4MjYxOVowHTEbMBkGCgmSJomT
    8ixkARkWC2xvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY
    FKW12s7FwfjJJ3GoMQmOWpQEaXmcEUZor6sICqsDrBUod/NmYXOt2P03//lLhNiK
    d0htRBYyCOctYneOyoQ8QSV00EVaSAC6XZ47ADzv1Jju/+dSLqxFIl7BWRIFfQsn
    zgvU84302jcSSXWSd02QLHKgA5hP1OTs+ez/fjHyGQIDAQABMA0GCSqGSIb3DQEB
    BQUAA4GBABu1WA/nkUfPNPUBWUVLu/nKXvUvwL5FaCSPB+AZ4Frus8TewC63eZLD
    1sSkrF0kOYad/C4p8tR3ozwCVESgL7WVIk23H+4MwDm+9Hfkjnep2MEzhxVstee3
    iNqYzwYPErR4K0JoDTOIAErZnOKe57lLIo27m5pZ1lxW4u0LH+SX
    -----END CERTIFICATE-----
    subject=/DC=localdomain
    issuer=/CN=CAcert
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 1205 bytes and written 423 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1
    Cipher : ECDHE-RSA-AES128-SHA
    Session-ID: 1EC5812437A5D92C5660BD0AE1BBBA4319F9E65160649D3CCAD326992BA79631
    Session-ID-ctx:
    Master-Key: 6873C6B143054330A02F24B250764E4F8D2F277DDF55CB3C96F8BD705A6D47D5CAF6B968BEC6A1C69F11C720A7FD6549
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1494266208
    Timeout : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    ---

    ^C


    [root@CX-node1 stornext]# openssl s_client -connect 10.20.232.71:389
    CONNECTED(00000003)
    140349418448712:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 289 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1494266279
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---
    [root@CX-node1 stornext]#
     
  2. Rob

    Rob Administrator
    Staff Member

    Joined:
    Oct 27, 2011
    Messages:
    89
    Likes Received:
    349
    Do you need to just tell the ldap config where the new key lives so it can use the new one(s) you generated? Unless i'm misunderstanding what the issue is..

    Rob
     
  3. InterceptorF

    InterceptorF New Member

    Joined:
    May 1, 2017
    Messages:
    3
    Likes Received:
    0
    yep - that is where I am stumped... How do I tell ldap ( port 389) to use this protocol ( TLS1.2 ) and cipher ( AES-256) ?

    I 've been looking around but not seeing what I am seeking ... Thanks for the input .
     
  4. Rob

    Rob Administrator
    Staff Member

    Joined:
    Oct 27, 2011
    Messages:
    89
    Likes Received:
    349
    I haven't messed with it too much, but I'm thinking the config files for it probably specify which ports and certs to use.

    Let us know what you find.
     
  5. MikeyD

    MikeyD New Member

    Joined:
    May 5, 2017
    Messages:
    9
    Likes Received:
    8
    I'm far from an expert on LDAP (queried them but never set one up), but maybe these links will help:

    Assuming you are using openLDAP:
    http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_obsolete.html#5.0 - details configuration params for openLDAP and both client/server configs.

    Specifically:
    TLSCipherSuite cipher suite spec describes what ciphers will be accepted
    TLSCACertificateFile filename file that contains the certificates of all trusted CA certs
    TLSCACertificatePath directory directory containing CA certificates. Usually this or TLSCACertificateFile is used.
    TLSCertificateFile filename server certificate filename
    TLSCertificateKeyFile filename server private key filename


    http://help.fortinet.com/fweb/554/Content/FortiWeb/fortiweb-admin/supported_cipher_suites.htm - Supported protocols for different cipher suites. Looks like yours should support TLSv1.2. Also helpful info on cipher suites in general.

    Hope this helps
     
    Rob likes this.
  6. Rob

    Rob Administrator
    Staff Member

    Joined:
    Oct 27, 2011
    Messages:
    89
    Likes Received:
    349
  7. InterceptorF

    InterceptorF New Member

    Joined:
    May 1, 2017
    Messages:
    3
    Likes Received:
    0
    No... I have not been working on it per se; although there is a very good free ebook on SSL that has been very informative..
    https://www.feistyduck.com/books/openssl-cookbook/

    I have created a key, a crs and a crt but am at the point I am not sure how to envoke it on the LDAP amd LDAPS ports 389 and 636 ... ?
     

Share This Page