Security

SSL LDAP breaks from 6.3.3 to 6.3.5

Contributor

Hi forum,

I updated my search head from 6.3.3 to 6.3.5. After the update, LDAP with SSL isn't working anymore.
splunkd.log tells me:

07-19-2016 13:02:23.647 +0200 ERROR ScopedLDAPConnection - strategy="LDAP" Error binding to LDAP. reason="Can't contact LDAP server".

LDAP server is surely reachable. In log of the LDAP server we see that the client is terminating the connection.

sudo /opt/splunk/bin/splunk  cmd openssl s_client -showcerts -host ldapserver -port 636 

tells me at a certain point

---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 768 bits
---
SSL handshake has read 7139 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)

This is different to 6.3.3...

Any hints?!

Thanks for your help in advance,

Andreas

1 Solution

Contributor

Hi all,

as matthias wrote adding:

TLS_CIPHER_SUITE HIGH:!DHE

to etc/openldap/ldap.conf fixes the issue. It seems if openssl 1.0.2g does not accept DH with short key sizes.

Thx all for your help!

Andreas

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Considering that 6.3.4 and 6.3.5 now use a new openssl version, due to new vulnerabilities found, the LDAP server needs to have the most up-to-date default cipher list in order to be approved by the splunk default cipher list.

If it is not possible to update the default cipher list on the LDAP server (AD 2003 for instance is buggy and update won't be possible - SPL-109427), then following workaround should be applied:

1) obtain Ciphers configured on your LDAP server.
2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it.

HTH.

Contributor

Hi all,

as matthias wrote adding:

TLS_CIPHER_SUITE HIGH:!DHE

to etc/openldap/ldap.conf fixes the issue. It seems if openssl 1.0.2g does not accept DH with short key sizes.

Thx all for your help!

Andreas

View solution in original post

0 Karma

Contributor

Put the string below in your ldap.conf file ($SPLUNK_HOME/etc/openldap/certs) and see if this is fixed.

TLS_CIPHER_SUITE HIGH:MEDIUM:@STRENGTH:+3DES:+RC4:!aNULL:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED,!IDEA:!RC2:!RC5

New Member

We know this issue, using a special LDAP-environment.
Specs are described at
https://www.openssl.org/docs/manmaster/apps/ciphers.html

We had to add in /etc/openldap/ldap.conf something like this:
TLS_CIPHER_SUITE HIGH:!DHE

To use secific ssl-parameter for the LDAP-connection

This issue was described within RN 6.3.5 SPL-109427

Matthias

0 Karma

Contributor

Hi Matthias,

thx. this fixes our issue!

0 Karma

New Member

We know this issue, using a special LDAP-environment.
Specs are described at
https://www.openssl.org/docs/manmaster/apps/ciphers.html

We had to add in /etc/openldap/ldap.conf something like this:
TLS_CIPHER_SUITE HIGH:!DHE

To use secific ssl-parameter for the LDAP-connection

This issue was described within RN 6.3.5 SPL-109427

Matthias

0 Karma

Contributor

fyi: same issue with v6.3.4

0 Karma

Contributor

We does not change any LDAP configuration, however we see that openssl have been updated to 1.0.2g. It seems that ldap client could be configured with etc/openldap/ldap.conf ?! We are pretty sure that the current openldap release does not execept DH with 768bit server keys and we need to adjust cipher suites.

0 Karma

Motivator

Can you share your ldap configuration ? Have you added configuration in authentication.conf file under auth app?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!