Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-78722

Failed to set sslversionmax to TLS1.3 in FIPS mode with dsconf $INSTANCE security set --tls-protocol-max TLS1.3

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-9.6
    • rhel-9.5
    • 389-ds-base
    • 389-ds-base-2.6.1-4.el9_6
    • No
    • Moderate
    • ZStream
    • rhel-sst-idm-ds
    • ssg_idm
    • Hide

      Automated tests pass in FIPS mode:

      dirsrvtests/tests/suites/tls/ssl_version_test.py
      Show
      Automated tests pass in FIPS mode: dirsrvtests/tests/suites/tls/ssl_version_test.py
    • Pass
    • Automated
    • Bug Fix
    • Hide
      .You can now use TLS 1.3 to connect to an LDAP server running in FIPS mode

      Before this update, when you tried to explicitly set TLS 1.3 when connecting to an LDAP server in FIPS mode, the used TLS version still remained 1.2. As a result, an attempt to connect to the LDAP server by using TLS 1.3 failed. With this update, the upper limit of the TLS version in FIPS mode was changed to 1.3, and the attempt to connect to an LDAP server with TLS 1.3 no longer fails.
      Show
      .You can now use TLS 1.3 to connect to an LDAP server running in FIPS mode Before this update, when you tried to explicitly set TLS 1.3 when connecting to an LDAP server in FIPS mode, the used TLS version still remained 1.2. As a result, an attempt to connect to the LDAP server by using TLS 1.3 failed. With this update, the upper limit of the TLS version in FIPS mode was changed to 1.3, and the attempt to connect to an LDAP server with TLS 1.3 no longer fails.
    • None

      What were you trying to do that didn't work?

      I would like to enable TLS1.3 for LDAP in IPA.

      I ran

      dsconf $INSTANCE security set --tls-protocol-max TLS1.3

      And it shows

      Successfully updated security configuration (nsSSL3Ciphers)

      The LDAP audit also shows

      time: 20250211165819
dn: cn=encryption,cn=config
result: 0
changetype: modify
replace: sslVersionMax
sslVersionMax: TLS1.3
-
replace: modifiersname
modifiersname: cn=Directory Manager
-
replace: modifytimestamp
modifytimestamp: 20250211065819Z
-

      However the sslVersionMax is still

      # dsconf $LDAP_INSTANCE security get | grep sslversion
sslversionmin: TLS1.2
sslversionmax: TLS1.2

      What is the impact of this issue to you?

      Failed to connect LDAP with TLS1.3

      # openssl s_client -connect $(hostname):636 -tls1_3 -state <<<''
Connecting to fd00:dce6:2::1
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:fatal:protocol version
SSL_connect:error in error
00EEF790517F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:909:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 256 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

      Please provide the package NVR for which the bug is seen:

      • 389-ds-base-libs-2.5.2-2.el9_5.x86_64
      • 389-ds-base-2.5.2-2.el9_5.x86_64
      • openssl-3.2.2-6.el9_5.x86_64
      • nss-util-3.101.0-10.el9_2.x86_64
      • nss-softokn-freebl-3.101.0-10.el9_2.x86_64
      • nss-softokn-3.101.0-10.el9_2.x86_64
      • nss-3.101.0-10.el9_2.x86_64
      • nss-sysinit-3.101.0-10.el9_2.x86_64
      • nss-tools-3.101.0-10.el9_2.x86_64
      • ipa-server-4.12.2-1.el9_5.3.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. dsconf $INSTANCE security set --tls-protocol-max TLS1.3

      Expected results

      SSL version max set to TLS1.3

      # dsconf $LDAP_INSTANCE security get | grep sslversionmax 
sslversionmax: TLS1.3

      Actual results

      SSL version max was still TLS1.2

      # dsconf $LDAP_INSTANCE security get | grep sslversionmax 
sslversionmax: TLS1.2

      Additional info

      LDAP errors

      [11/Feb/2025:16:25:35.417144781 +1000] - INFO - slapd_extract_cert - CA CERT NAME: EXAMPLE.COM IPA CA
[11/Feb/2025:16:25:35.426097079 +1000] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password if pin.txt does not exist.
[11/Feb/2025:16:25:35.458167021 +1000] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert
[11/Feb/2025:16:25:35.496775070 +1000] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[11/Feb/2025:16:25:35.505404533 +1000] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[11/Feb/2025:16:25:35.514376334 +1000] - INFO - Security Initialization - SSL info: 	TLS_AES_128_GCM_SHA256: enabled
[11/Feb/2025:16:25:35.523423649 +1000] - INFO - Security Initialization - SSL info: 	TLS_AES_256_GCM_SHA384: enabled
[11/Feb/2025:16:25:35.532383638 +1000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[11/Feb/2025:16:25:35.541233889 +1000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/Feb/2025:16:25:35.549894736 +1000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[11/Feb/2025:16:25:35.558803624 +1000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/Feb/2025:16:25:35.567831353 +1000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[11/Feb/2025:16:25:35.576902917 +1000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[11/Feb/2025:16:25:35.585804731 +1000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[11/Feb/2025:16:25:35.596021538 +1000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[11/Feb/2025:16:25:35.606657012 +1000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/Feb/2025:16:25:35.615795916 +1000] - INFO - Security Initialization - SSL info: 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[11/Feb/2025:16:25:35.623678463 +1000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/Feb/2025:16:25:35.632590371 +1000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/Feb/2025:16:25:35.641503350 +1000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[11/Feb/2025:16:25:35.650563393 +1000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/Feb/2025:16:25:35.659492466 +1000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[11/Feb/2025:16:25:35.668374552 +1000] - INFO - Security Initialization - SSL info: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[11/Feb/2025:16:25:35.677408092 +1000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/Feb/2025:16:25:35.686166159 +1000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/Feb/2025:16:25:35.694949070 +1000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[11/Feb/2025:16:25:35.703879714 +1000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/Feb/2025:16:25:35.712568238 +1000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[11/Feb/2025:16:25:35.721375529 +1000] - INFO - Security Initialization - SSL info: 	TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[11/Feb/2025:16:25:35.744204689 +1000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[11/Feb/2025:16:25:35.753124427 +1000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.2
[11/Feb/2025:16:25:35.762378520 +1000] - INFO - main - 389-Directory/2.5.2 B2024.260.0000 starting up

      LDAP access

      [11/Feb/2025:16:58:19.316899476 +1000] conn=46 fd=239 slot=239 connection from local to /run/slapd-EXAMPLE-COM.socket
[11/Feb/2025:16:58:19.317308912 +1000] conn=46 AUTOBIND dn="cn=Directory Manager"
[11/Feb/2025:16:58:19.317312885 +1000] conn=46 op=0 BIND dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL
[11/Feb/2025:16:58:19.317327109 +1000] conn=46 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000197768 optime=0.000122314 etime=0.000319731 dn="cn=Directory Manager"
[11/Feb/2025:16:58:19.567754280 +1000] conn=46 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="vendorVersion"
[11/Feb/2025:16:58:19.570302403 +1000] conn=46 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000161897 optime=0.002556038 etime=0.002716459
[11/Feb/2025:16:58:19.575150019 +1000] conn=46 op=2 MOD dn="cn=encryption,cn=config"
[11/Feb/2025:16:58:19.585622894 +1000] conn=46 op=2 RESULT err=0 tag=103 nentries=0 wtime=0.000086823 optime=0.010480730 etime=0.010564389
[11/Feb/2025:16:58:19.585990552 +1000] conn=46 op=3 UNBIND
[11/Feb/2025:16:58:19.586028187 +1000] conn=46 op=3 fd=239 Disconnect - Cleanly Closed Connection - U1

              idm-ds-dev-bugs IdM DS Dev
              rhn-support-dchen Ding Yi Chen
              IdM DS Dev IdM DS Dev
              Viktor Ashirov Viktor Ashirov
              Evgenia Martyniuk Evgenia Martyniuk
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: