#50362 Protocol setting is inconsistent in FIPS mode
Opened a month ago by mreynolds. Modified a month ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1706224

Description of problem:

Installing IdM in FIPS mode fails near the end when the DM password is reset
over startTLS with a TLS alert.

ldap_start_tls: Connect error (-11) additional info: error:14094438:SSL
routines:ssl3_read_bytes:tlsv1 alert internal error

If a min/max value is provided directly for the TLS configuration, even if it
matches the default, the installation is successful and LDAP responds.

dn: cn=encryption,cn=config
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3

The TLS configuration messages look identical between a non-working:

[03/May/2019:16:12:45.637681302 -0400] - INFO - Security Initialization -
slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3

and a working configuration.

[03/May/2019:16:14:45.367855588 -0400] - INFO - Security Initialization -
slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3

When failing this is logged whenever a TLS/startTLS connection is made:

[03/May/2019:16:14:48.486690472 -0400] conn=5 fd=66 slot=66 connection from
192.168.121.98 to 192.168.121.98
[03/May/2019:16:14:48.486995136 -0400] conn=5 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin"
[03/May/2019:16:14:48.487029802 -0400] conn=5 op=0 RESULT err=0 tag=120
nentries=0 etime=0.0000314375
[03/May/2019:16:14:48.487289319 -0400] conn=5 op=-1 fd=66 closed - security
library failure.
[03/May/2019:16:14:48.674047457 -0400] conn=2 op=1 UNBIND
[03/May/2019:16:14:48.674067633 -0400] conn=2 op=1 fd=65 closed - U1

The client receives an error about a tls alert (duplicated using ldapsearch and
ldappasswd).

Note that this was discovered while ensuring IdM works in FIPS mode. Other
unrelated issues were detected as well.

Version-Release number of selected component (if applicable):
389-ds-base-1.4.0.20-10.module+el8.0.0+3096+101825d5.x86_64

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1706224

a month ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

a month ago

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

a month ago

Login to comment on this ticket.

Metadata