[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: (ITS#7867) TLS SHA512

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7867) TLS SHA512
From: hyc@symas.com
Date: Sat, 31 May 2014 18:06:09 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)
yann+openldap@verry.org wrote:
> Full_Name: Yann Verry
> Version: 2.4.39
> OS: debian/sid
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2a01:e35:2e6d:c800:d572:aec:1b42:380c)

This is purely a TLS issue, OpenLDAP has nothing to do with it. Ask for help 
on a gnutls support forum. Closing this ITS.
>
>
> Hi,
>
> I would like (CACert sign class3 now with SHA512) to switch my X509 certificate
> with a signature algorithm SHA512.
> When I do this openldap bind on SSL port but was unable to provide SSL
> connection as you can see in error:
>
> 2014-05-31T00:20:46.852821+02:00 peach slapd[23997]: >>>
> slap_listener(ldaps:///)
> 2014-05-31T00:20:46.853369+02:00 peach slapd[23997]: connection_get(35): got
> connid=1068
> 2014-05-31T00:20:46.853891+02:00 peach slapd[23997]: connection_read(35):
> checking for input on id=1068
> 2014-05-31T00:20:46.854526+02:00 peach slapd[23997]: connection_read(35): TLS
> accept failure error=-1 id=1068, closing
> 2014-05-31T00:20:46.855071+02:00 peach slapd[23997]: connection_close: conn=1068
> sd=35
>
> If I fall back to sha256 it works fine
>
>
> How to reproduce
> ================
>
> - generate self signed with sha256 and sha512:
>
> mkdir -p /etc/ldap/ssl
> cd !$
>
> # priv
> certtool --generate-privkey --sec-param normal --outfile mypriv_normal.key
>
> # self
> certtool -s --load-privkey mypriv_normal.key --outfile gnutls512_normal.crt
> --hash SHA512
> certtool -s --load-privkey mypriv_normal.key --outfile gnutls256_normal.crt
> --hash SHA256
>
> # build PEM
> cat mypriv_normal.key gnutls512_normal.crt > gnutls512_normal.pem
> cat mypriv_normal.key gnutls256_normal.crt > gnutls256_normal.pem
>
>
> my cn=config:
>
> olcTLSCACertificateFile: /etc/ldap/ssl/sslcertificate.pem
> olcTLSCertificateFile: /etc/ldap/ssl/sslcertificate.pem
> olcTLSCertificateKeyFile: /etc/ldap/ssl/sslcertificate.pem
>
> now just play with symlink.
>
> sha256
> ------
>
> ln -s gnutls256_normal.pem sslcertificate.pem ; then restart openldap
>
> make a client connection:
>
> gnutls-cli ldap.verry.org -p 636
> Resolving 'ldap.verry.org'...
> Connecting to '2a01:e35:2e6d:c800:cafe:deca:0:42:636'...
> - Certificate type: X.509
>   - Got a certificate list of 1 certificates.
>   - Certificate[0] info:
>    - subject `CN=ldap.verry.org', issuer `CN=ldap.verry.org', RSA key 2432 bits,
> signed using RSA-SHA256, activated `2014-05-31 08:26:59 UTC', expires
> `2024-05-28 08:27:03 UTC', SHA-1 fingerprint
> `600b2a502289644c075d4b3eaf7b1efd38685687'
> - The hostname in the certificate matches 'ldap.verry.org'.
> - Peer's certificate issuer is unknown
> - Peer's certificate is NOT trusted
> - Version: TLS1.2
> - Key Exchange: RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed
>
> - Simple Client Mode:
>
>
> server view, it's OK:
>
> 538909bf conn=1007 fd=32 TLS established tls_ssf=256 ssf=256
>
>
>
> sha512
> ------
> rm previous symlink and ln -s gnutls512_normal.pem sslcertificate.pem ; then
> restart openldap
>
> make a connection:
>
> gnutls-cli ldap.verry.org -p 636
> Resolving 'ldap.verry.org'...
> Connecting to '2a01:e35:2e6d:c800:cafe:deca:0:42:636'...
> *** Fatal error: A TLS packet with unexpected length was received.
> *** Handshake has failed
> GnuTLS error: A TLS packet with unexpected length was received.
>
> server view:
>
> TLS: can't accept: Could not negotiate a supported cipher suite..
> 538909f9 connection_read(28): TLS accept failure error=-1 id=1000, closing
> 538909f9 connection_closing: readying conn=1000 sd=28 for close
> 538909f9 connection_close: conn=1000 sd=28
> 538909f9 daemon: removing 28
> 538909f9 conn=1000 fd=28 closed (TLS negotiation failure)
>
>
>
> gnutls
> ======
>
> gnutls-cli -l|grep SHA512
> MACs: SHA1, MD5, SHA256, SHA384, SHA512, SHA224, UMAC-96, UMAC-128, AEAD
> Digests: SHA1, MD5, SHA256, SHA384, SHA512, SHA224
> PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256,
> SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, SIGN-DSA-SHA1,
> SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD5, SIGN-RSA-MD2,
> SIGN-ECDSA-SHA1, SIGN-ECDSA-SHA224, SIGN-ECDSA-SHA256, SIGN-ECDSA-SHA384,
> SIGN-ECDSA-SHA512
>
> I can provide more information as needed to solve this issue
>
> Regards,
> Yann
>
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
Prev by Date: (ITS#7867) TLS SHA512
Index(es):
- Chronological
- Thread