[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7867) TLS SHA512

Full_Name: Yann Verry
Version: 2.4.39
OS: debian/sid
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2a01:e35:2e6d:c800:d572:aec:1b42:380c)


Hi,

I would like (CACert sign class3 now with SHA512) to switch my X509 certificate
with a signature algorithm SHA512.
When I do this openldap bind on SSL port but was unable to provide SSL
connection as you can see in error:

2014-05-31T00:20:46.852821+02:00 peach slapd[23997]: >>>
slap_listener(ldaps:///)
2014-05-31T00:20:46.853369+02:00 peach slapd[23997]: connection_get(35): got
connid=1068
2014-05-31T00:20:46.853891+02:00 peach slapd[23997]: connection_read(35):
checking for input on id=1068
2014-05-31T00:20:46.854526+02:00 peach slapd[23997]: connection_read(35): TLS
accept failure error=-1 id=1068, closing
2014-05-31T00:20:46.855071+02:00 peach slapd[23997]: connection_close: conn=1068
sd=35

If I fall back to sha256 it works fine


How to reproduce
================

- generate self signed with sha256 and sha512:

mkdir -p /etc/ldap/ssl
cd !$

# priv
certtool --generate-privkey --sec-param normal --outfile mypriv_normal.key

# self
certtool -s --load-privkey mypriv_normal.key --outfile gnutls512_normal.crt
--hash SHA512
certtool -s --load-privkey mypriv_normal.key --outfile gnutls256_normal.crt
--hash SHA256

# build PEM
cat mypriv_normal.key gnutls512_normal.crt > gnutls512_normal.pem
cat mypriv_normal.key gnutls256_normal.crt > gnutls256_normal.pem


my cn=config:

olcTLSCACertificateFile: /etc/ldap/ssl/sslcertificate.pem
olcTLSCertificateFile: /etc/ldap/ssl/sslcertificate.pem
olcTLSCertificateKeyFile: /etc/ldap/ssl/sslcertificate.pem

now just play with symlink.

sha256
------

ln -s gnutls256_normal.pem sslcertificate.pem ; then restart openldap

make a client connection:

gnutls-cli ldap.verry.org -p 636
Resolving 'ldap.verry.org'...
Connecting to '2a01:e35:2e6d:c800:cafe:deca:0:42:636'...
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `CN=ldap.verry.org', issuer `CN=ldap.verry.org', RSA key 2432 bits,
signed using RSA-SHA256, activated `2014-05-31 08:26:59 UTC', expires
`2024-05-28 08:27:03 UTC', SHA-1 fingerprint
`600b2a502289644c075d4b3eaf7b1efd38685687'
- The hostname in the certificate matches 'ldap.verry.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:


server view, it's OK:

538909bf conn=1007 fd=32 TLS established tls_ssf=256 ssf=256



sha512
------
rm previous symlink and ln -s gnutls512_normal.pem sslcertificate.pem ; then
restart openldap

make a connection:

gnutls-cli ldap.verry.org -p 636
Resolving 'ldap.verry.org'...
Connecting to '2a01:e35:2e6d:c800:cafe:deca:0:42:636'...
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.

server view:

TLS: can't accept: Could not negotiate a supported cipher suite..
538909f9 connection_read(28): TLS accept failure error=-1 id=1000, closing
538909f9 connection_closing: readying conn=1000 sd=28 for close
538909f9 connection_close: conn=1000 sd=28
538909f9 daemon: removing 28
538909f9 conn=1000 fd=28 closed (TLS negotiation failure)



gnutls
======

gnutls-cli -l|grep SHA512
MACs: SHA1, MD5, SHA256, SHA384, SHA512, SHA224, UMAC-96, UMAC-128, AEAD
Digests: SHA1, MD5, SHA256, SHA384, SHA512, SHA224
PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256,
SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, SIGN-DSA-SHA1,
SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD5, SIGN-RSA-MD2,
SIGN-ECDSA-SHA1, SIGN-ECDSA-SHA224, SIGN-ECDSA-SHA256, SIGN-ECDSA-SHA384,
SIGN-ECDSA-SHA512

I can provide more information as needed to solve this issue

Regards,
Yann