topic Re: SSL LDAP breaks from 6.3.3 to 6.3.5 in Security

SSL LDAP breaks from 6.3.3 to 6.3.5

schose — Tue, 19 Jul 2016 11:10:07 GMT

Hi forum,

I updated my search head from 6.3.3 to 6.3.5. After the update, LDAP with SSL isn't working anymore.
splunkd.log tells me:

07-19-2016 13:02:23.647 +0200 ERROR ScopedLDAPConnection - strategy="LDAP" Error binding to LDAP. reason="Can't contact LDAP server".

LDAP server is surely reachable. In log of the LDAP server we see that the client is terminating the connection.

sudo /opt/splunk/bin/splunk  cmd openssl s_client -showcerts -host ldapserver -port 636

tells me at a certain point

---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 768 bits
---
SSL handshake has read 7139 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)

This is different to 6.3.3...

Any hints?!

Thanks for your help in advance,

Andreas

Re: SSL LDAP breaks from 6.3.3 to 6.3.5

schose — Tue, 19 Jul 2016 11:25:54 GMT

fyi: same issue with v6.3.4

Re: SSL LDAP breaks from 6.3.3 to 6.3.5

hardikJsheth — Tue, 19 Jul 2016 12:06:32 GMT

Can you share your ldap configuration ? Have you added configuration in authentication.conf file under auth app?

Re: SSL LDAP breaks from 6.3.3 to 6.3.5

schose — Tue, 19 Jul 2016 12:37:36 GMT

We does not change any LDAP configuration, however we see that openssl have been updated to 1.0.2g. It seems that ldap client could be configured with etc/openldap/ldap.conf ?! We are pretty sure that the current openldap release does not execept DH with 768bit server keys and we need to adjust cipher suites.

Re: SSL LDAP breaks from 6.3.3 to 6.3.5

msche — Tue, 29 Sep 2020 10:16:42 GMT

We know this issue, using a special LDAP-environment.
Specs are described at
https://www.openssl.org/docs/manmaster/apps/ciphers.html

We had to add in /etc/openldap/ldap.conf something like this:
TLS_CIPHER_SUITE HIGH:!DHE

To use secific ssl-parameter for the LDAP-connection

This issue was described within RN 6.3.5 SPL-109427

Matthias

Re: SSL LDAP breaks from 6.3.3 to 6.3.5

msche — Tue, 29 Sep 2020 10:16:44 GMT

We know this issue, using a special LDAP-environment.
Specs are described at
https://www.openssl.org/docs/manmaster/apps/ciphers.html

We had to add in /etc/openldap/ldap.conf something like this:
TLS_CIPHER_SUITE HIGH:!DHE

To use secific ssl-parameter for the LDAP-connection

This issue was described within RN 6.3.5 SPL-109427

Matthias

Re: SSL LDAP breaks from 6.3.3 to 6.3.5

rafamss — Tue, 19 Jul 2016 13:58:53 GMT

Put the string below in your ldap.conf file ($SPLUNK_HOME/etc/openldap/certs) and see if this is fixed.

TLS_CIPHER_SUITE HIGH:MEDIUM:@STRENGTH:+3DES:+RC4:!aNULL:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED,!IDEA:!RC2:!RC5

Re: SSL LDAP breaks from 6.3.3 to 6.3.5

schose — Tue, 19 Jul 2016 14:23:04 GMT

Hi Matthias,

thx. this fixes our issue!

Re: SSL LDAP breaks from 6.3.3 to 6.3.5

schose — Tue, 19 Jul 2016 14:25:11 GMT

Hi all,

as matthias wrote adding:

TLS_CIPHER_SUITE HIGH:!DHE

to etc/openldap/ldap.conf fixes the issue. It seems if openssl 1.0.2g does not accept DH with short key sizes.

Thx all for your help!

Andreas

Re: SSL LDAP breaks from 6.3.3 to 6.3.5

mgaraventa_splu — Tue, 19 Jul 2016 17:16:33 GMT

Considering that 6.3.4 and 6.3.5 now use a new openssl version, due to new vulnerabilities found, the LDAP server needs to have the most up-to-date default cipher list in order to be approved by the splunk default cipher list.

If it is not possible to update the default cipher list on the LDAP server (AD 2003 for instance is buggy and update won't be possible - SPL-109427), then following workaround should be applied:

1) obtain Ciphers configured on your LDAP server.
2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it.

HTH.