[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Windows Server 2012 R2 - TLS 1.2 connection errors

To: Jeff Lebo <jeflebo@outlook.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Windows Server 2012 R2 - TLS 1.2 connection errors
From: Howard Chu <hyc@symas.com>
Date: Sun, 02 Nov 2014 18:51:54 +0000
In-reply-to: <BLU177-W20A7A973F30724DDBF7C13B1980@phx.gbl>
References: <BLU177-W33DC8A4CD58CA31CAC4CAFB19B0@phx.gbl>, <BLU177-W16737A0B7230B0EA65BEB7B19B0@phx.gbl> <BLU177-W20A7A973F30724DDBF7C13B1980@phx.gbl>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32a1

Jeff Lebo wrote:

Enabled some debug logging on the Windows Server side, and with TLS 1.2
disabled, I see that OpenLDAP is using CipherSuite 0x35, which corresponds
to TLS_RSA_AES_256_CBC_SHA1 in GnuTLS.

I've tried every way possible with slapd.conf, but I can't get slapd to start
with the TLSCipherSuite config trying to disable all TLS1.2, or only
enable TLS_RSA_AES_256_CBC_SHA1.

What am I missing?

Your issue has nothing to do with OpenLDAP and has everything to do withGnuTLS and Windows Server 2012. You should read your GnuTLS docs to see whichcipher suites it actually supports in TLS 1.2. And likewise on the Microsoft docs.

Setting the cipher suite doesn't have any effect at all on which protocolversion the TLS library will attempt to use. It only affects which ciphersuites it will attempt to use once a protocol level has been established.

------------------------------------------------------------------------------
From: jeflebo@outlook.com
To: openldap-technical@openldap.org
Subject: RE: Windows Server 2012 R2 - TLS 1.2 connection errors
Date: Sat, 1 Nov 2014 10:09:35 -0700

Disabling TLS 1.2 on the Windows Server "fixes" the issue... just not sure
what AD functionality I may be breaking by doing this.

Anyone else dealt with this?

------------------------------------------------------------------------------
From: jeflebo@outlook.com
To: openldap-technical@openldap.org
Subject: Windows Server 2012 R2 - TLS 1.2 connection errors
Date: Sat, 1 Nov 2014 09:45:48 -0700

Have had a public facing OpenLDAP server setup pointing to Windows Server 2008
on the back end for auth.

AD servers are being migrated to Server 2012 R2, and I see this error on the
Windows side when OpenLDAP tries to authenticate to them:

"An TLS 1.2 connection request was received from a remote client application,
but none of the cipher suites supported by the client application are
supported by the server. The SSL connection request has failed."

"A fatal alert was generated and sent to the remote endpoint. This may result
in termination of the connection. The TLS protocol defined fatal error code is
40. The Windows SChannel error state is 1205."

I've spent the last few days trying different configs, and reading Microsoft
forums, and haven't been able to figure it out.  Apparently MS changed the TLS
configs with 2012R2 and it doesn't support a key length I am using.  I've
tried to disable TLS 1.2 on the OpenLDAP side using TLSCiperSuite in
slapd.conf, but OpenLDAP fails to start with "main: TLS init def ctx failed: -1".



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Windows Server 2012 R2 - TLS 1.2 connection errors
  - From: Jeff Lebo <jeflebo@outlook.com>
- RE: Windows Server 2012 R2 - TLS 1.2 connection errors
  - From: Jeff Lebo <jeflebo@outlook.com>
- RE: Windows Server 2012 R2 - TLS 1.2 connection errors
  - From: Jeff Lebo <jeflebo@outlook.com>

Prev by Date: RE: Windows Server 2012 R2 - TLS 1.2 connection errors
Next by Date: Antw: Kernel segfault slapd
Index(es):
- Chronological
- Thread