#50362 Protocol setting is inconsistent in FIPS mode
Closed: wontfix 2 years ago by mreynolds. Opened 3 years ago by mreynolds.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1706224

Description of problem:

Installing IdM in FIPS mode fails near the end when the DM password is reset
over startTLS with a TLS alert.

ldap_start_tls: Connect error (-11) additional info: error:14094438:SSL
routines:ssl3_read_bytes:tlsv1 alert internal error

If a min/max value is provided directly for the TLS configuration, even if it
matches the default, the installation is successful and LDAP responds.

dn: cn=encryption,cn=config
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3

The TLS configuration messages look identical between a non-working:

[03/May/2019:16:12:45.637681302 -0400] - INFO - Security Initialization -
slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3

and a working configuration.

[03/May/2019:16:14:45.367855588 -0400] - INFO - Security Initialization -
slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3

When failing this is logged whenever a TLS/startTLS connection is made:

[03/May/2019:16:14:48.486690472 -0400] conn=5 fd=66 slot=66 connection from
192.168.121.98 to 192.168.121.98
[03/May/2019:16:14:48.486995136 -0400] conn=5 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin"
[03/May/2019:16:14:48.487029802 -0400] conn=5 op=0 RESULT err=0 tag=120
nentries=0 etime=0.0000314375
[03/May/2019:16:14:48.487289319 -0400] conn=5 op=-1 fd=66 closed - security
library failure.
[03/May/2019:16:14:48.674047457 -0400] conn=2 op=1 UNBIND
[03/May/2019:16:14:48.674067633 -0400] conn=2 op=1 fd=65 closed - U1

The client receives an error about a tls alert (duplicated using ldapsearch and
ldappasswd).

Note that this was discovered while ensuring IdM works in FIPS mode. Other
unrelated issues were detected as well.

Version-Release number of selected component (if applicable):
389-ds-base-1.4.0.20-10.module+el8.0.0+3096+101825d5.x86_64

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1706224

3 years ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

3 years ago

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

3 years ago

Metadata Update from @mreynolds:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

2 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/3421

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: duplicate)

2 years ago

Login to comment on this ticket.

Metadata