Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1706224
Description of problem: Installing IdM in FIPS mode fails near the end when the DM password is reset over startTLS with a TLS alert. ldap_start_tls: Connect error (-11) additional info: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error If a min/max value is provided directly for the TLS configuration, even if it matches the default, the installation is successful and LDAP responds. dn: cn=encryption,cn=config sslVersionMin: TLS1.0 sslVersionMax: TLS1.3 The TLS configuration messages look identical between a non-working: [03/May/2019:16:12:45.637681302 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 and a working configuration. [03/May/2019:16:14:45.367855588 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 When failing this is logged whenever a TLS/startTLS connection is made: [03/May/2019:16:14:48.486690472 -0400] conn=5 fd=66 slot=66 connection from 192.168.121.98 to 192.168.121.98 [03/May/2019:16:14:48.486995136 -0400] conn=5 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin" [03/May/2019:16:14:48.487029802 -0400] conn=5 op=0 RESULT err=0 tag=120 nentries=0 etime=0.0000314375 [03/May/2019:16:14:48.487289319 -0400] conn=5 op=-1 fd=66 closed - security library failure. [03/May/2019:16:14:48.674047457 -0400] conn=2 op=1 UNBIND [03/May/2019:16:14:48.674067633 -0400] conn=2 op=1 fd=65 closed - U1 The client receives an error about a tls alert (duplicated using ldapsearch and ldappasswd). Note that this was discovered while ensuring IdM works in FIPS mode. Other unrelated issues were detected as well. Version-Release number of selected component (if applicable): 389-ds-base-1.4.0.20-10.module+el8.0.0+3096+101825d5.x86_64
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1706224
Metadata Update from @mreynolds: - Issue assigned to mreynolds
Metadata Update from @mreynolds: - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None
Fixed in https://pagure.io/389-ds-base/issue/50355
Metadata Update from @mreynolds: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/3421
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: duplicate)
Login to comment on this ticket.