With a bit of luck libldap respects the crypto-policies, please see man update-crypto-policies how to enable a more relaxed policy.

HTH

bye,
Sumit

Thanks! but... I've tried setting update-crypto-policies --set LEGACY, and the issue still occurs. I also rebooted the OS and confirmed it with update-crypto-policies --show. Here is a more detailed log:

INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Support for all SSL protocols is disabled in crypto libraries in Fedora.

https://fedoraproject.org/wiki/Changes/StrongCryptoSettings

Disabling SSLv3 happened in Fedora 23 (https://fedoraproject.org//wiki/Changes/RemoveSSL3andRc4)

At devconf.cz 2019, Thomas Mraz gave a talk about system-wide crypto policies and their direction of operation. Slide 19 of https://schd.ws/hosted_files/devconfcz2019/5b/crypto-policies-what-why.pdf shows that SSLv2 and SSLv3 are disabled on library level and thus not usable unless you'd recompile those libraries. SSLv2 was removed from openssl 1.1.0 upstream, SSLv3 deprecated.

Ok. thanks for the additional information Abbra. I'm still confused as to why the authentication worked for me with Fedora 28, but now it does not with Fedora 29.

Is it because Fedora 28 has older openssl? It appears to be openssl-1.1.0i-1.fc28.x86_64 where fedora 29 seems to be openssl-1.1.1a-1.fc29.x86_64

According to the spec of openssl for F28, SSLv3 is disabled since 2014. Most recent patch is referenced in https://src.fedoraproject.org/rpms/openssl/blob/f28/f/openssl.spec#_57. The patch actually disables SSLv3 but allows applications to re-enable it with SSL configuration or by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3).

Perhaps, the latter call was removed from OpenLDAP library?

Yes. It looks like this maybe: https://src.fedoraproject.org/rpms/openldap/c/939ce64f7f313df3db35e1fda38e8c143e208c9a?branch=master

I am a bit confused on what is going on. I guess SSLv3 support within openldap was added with a patch for Fedora 28, and then with Fedora 29 it is stuck in a broken state?

I tried downgrading the packages openldap and openldap-clients on Fedora 29 but that doesn't seem to work.

F28 was using the patch that allowed SSLv3 explicitly in openldap. F29 removed that patch. @mhonek, could you please explain why SSLv3 support was removed totally? While it is not recommended for use, unlike SSLv2 it is not deprecated fully in openssl. There are plenty of old systems that need to be accessed yet with SSLv3.

F28 was using the patch that allowed SSLv3 explicitly in openldap. F29 removed that patch. @mhonek, could you please explain why SSLv3 support was removed totally? While it is not recommended for use, unlike SSLv2 it is not deprecated fully in openssl. There are plenty of old systems that need to be accessed yet with SSLv3.

Two main facts why I removed this from F29 (rawhide at that time):
- The patch was effectively refused by upstream - not in the ITS ticket itself, but discussion on the upstream IRC channel (and possibly mailing list, I do not remember exactly) was well clear. And we're trying to keep as close to upstream as possible for supportability reasons.
- After talking to people responsible for crypto it was clear the deliberate decision to disable SSLv3 in OpenSSL by default with a downstream Fedora patch really says SSLv3 should not be used at all.

Feel free to go ahead to the upstream ticket and discuss this, as well as discuss this with Fedora OpenSSL downstream.

Sorry I am new to this so not sure where to comment upstream or downstream.

I think that it should be disabled by default if it is a security concern but there needs to be a way for organizations to turn it on if still needed.

Sorry I am new to this so not sure where to comment upstream or downstream.
I think that it should be disabled by default if it is a security concern but there needs to be a way for organizations to turn it on if still needed.

You can still fedora 28/CentOS 7 if you need to use SSLv3.

Feel free to go ahead to the upstream ticket and discuss this, as well as discuss this with Fedora OpenSSL downstream.

Have you tried to reach that team ?

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4915

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.