Solved: SSL LDAP breaks from 6.3.3 to 6.3.5

schose · ‎07-19-2016

Hi forum,

I updated my search head from 6.3.3 to 6.3.5. After the update, LDAP with SSL isn't working anymore.
splunkd.log tells me:

07-19-2016 13:02:23.647 +0200 ERROR ScopedLDAPConnection - strategy="LDAP" Error binding to LDAP. reason="Can't contact LDAP server".

LDAP server is surely reachable. In log of the LDAP server we see that the client is terminating the connection.

sudo /opt/splunk/bin/splunk  cmd openssl s_client -showcerts -host ldapserver -port 636

tells me at a certain point

---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 768 bits
---
SSL handshake has read 7139 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)

This is different to 6.3.3...

Any hints?!

Thanks for your help in advance,

Andreas

schose · ‎07-19-2016

Hi all,

as matthias wrote adding:

TLS_CIPHER_SUITE HIGH:!DHE

to etc/openldap/ldap.conf fixes the issue. It seems if openssl 1.0.2g does not accept DH with short key sizes.

Thx all for your help!

Andreas

View solution in original post

mgaraventa_splu · ‎07-19-2016

Considering that 6.3.4 and 6.3.5 now use a new openssl version, due to new vulnerabilities found, the LDAP server needs to have the most up-to-date default cipher list in order to be approved by the splunk default cipher list.

If it is not possible to update the default cipher list on the LDAP server (AD 2003 for instance is buggy and update won't be possible - SPL-109427), then following workaround should be applied:

1) obtain Ciphers configured on your LDAP server.
2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it.

HTH.

schose · ‎07-19-2016

Hi all,

as matthias wrote adding:

TLS_CIPHER_SUITE HIGH:!DHE

to etc/openldap/ldap.conf fixes the issue. It seems if openssl 1.0.2g does not accept DH with short key sizes.

Thx all for your help!

Andreas

rafamss · ‎07-19-2016

Put the string below in your ldap.conf file ($SPLUNK_HOME/etc/openldap/certs) and see if this is fixed.

TLS_CIPHER_SUITE HIGH:MEDIUM:@STRENGTH:+3DES:+RC4:!aNULL:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED,!IDEA:!RC2:!RC5

msche · ‎07-19-2016

We know this issue, using a special LDAP-environment.
Specs are described at
https://www.openssl.org/docs/manmaster/apps/ciphers.html

We had to add in /etc/openldap/ldap.conf something like this:
TLS_CIPHER_SUITE HIGH:!DHE

To use secific ssl-parameter for the LDAP-connection

This issue was described within RN 6.3.5 SPL-109427

Matthias

schose · ‎07-19-2016

Hi Matthias,

thx. this fixes our issue!

msche · ‎07-19-2016

We know this issue, using a special LDAP-environment.
Specs are described at
https://www.openssl.org/docs/manmaster/apps/ciphers.html

We had to add in /etc/openldap/ldap.conf something like this:
TLS_CIPHER_SUITE HIGH:!DHE

To use secific ssl-parameter for the LDAP-connection

This issue was described within RN 6.3.5 SPL-109427

Matthias

schose · ‎07-19-2016

fyi: same issue with v6.3.4

schose · ‎07-19-2016

We does not change any LDAP configuration, however we see that openssl have been updated to 1.0.2g. It seems that ldap client could be configured with etc/openldap/ldap.conf ?! We are pretty sure that the current openldap release does not execept DH with 768bit server keys and we need to adjust cipher suites.

hardikJsheth · ‎07-19-2016

Can you share your ldap configuration ? Have you added configuration in authentication.conf file under auth app?

SSL LDAP breaks from 6.3.3 to 6.3.5

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake