ONTAP Discussions

Ontap 8.2.4P3 7-Mode LDAP and Ubuntu (Openldap)

parkea2
1,902 Views

 

I have made the following observation in my environment and I am struggling to debug & find a resolution.  We support a very mixed

environment of  LINUX / AIX / SOLARIS / HPUX .  Our LDAP is on  both Ubuntu  or Solaris  and all run OpenLDAP.

 

Since we updated the Ubuntu openssl level for this alert:

https://www.ubuntu.com/usn/usn-3087-2/   

 

Our N-Series servers (ontap Ontap 8.2.4P3 7-Mode) are failing to connect to the Ubuntu OPENLDAP via TLS Now

 

Dec 20 07:21:50 ldap7 slapd[12921]: conn=3231 fd=25 ACCEPT from IP=9.42.34.211:39304 (IP=0.0.0.0:636)
Dec 20 07:21:50 ldap7 slapd[12921]: conn=3231 fd=25 closed (TLS negotiation failure)

 

My initial thoughts was that the (CVE-2016-2183)  moving DES  / 3DES to MEDIUM was the issue, so I extended the

LDAP allowed ciphers include MEDIUM.  However TLS negotiation still fails. 

 

Can anyone tell me  what ciphers a Ontap client sends to the LDAP server during the TLS handshake so I can test

using :

openssl s_client -connect ldap6:636 -tls1 -cipher AES128-SHA

 

The theory being if the LDAP is rejecting the ciphers or TLS  level  the above command would simulate it.

 

Another option maybe wireshark  to see the handshake but as I type this option is not open to me currently/

 

Any thoughts People ?

 

1 REPLY 1

parkea2
1,880 Views

More Information in case anyone is following this:

 

The problem is  for me  DES-CBC3-SHA  is used by Ontap 8.2.4 to  establish TLS communications.  This is a cipher used by TLS1 and SSLV3.  The problem is Openssl has just regraded all 3DES from HIGH to MEDIUM.   This is causing this cipher to become unavailable to the LDAP servers and hence the Ontap 8.2.4 which uses it to establish TLS. Which now can nolonger communicate to our corporate LDAP servers securely.  As a corporate we BAN LOW / MEDIUM ciphers + SSlv2/3 .  TLS1 is allowed but only just !  TLS1.2 is preferred however ontap 8.2.4 does not support TLS1.2.

 

I see this problem only getting worse as different vendors roll out the openssl changes for 3DES.  My servers are Ubuntu and Solaris.  Ubuntu being very quick to rollout the new patches are failing today.  I expect the Solaris LDAP servers to also stop talking to Ontap 8.2.4 over TLS once new patches are applied.

 

Currently I see the options being:

 

1) Run non-ssl, which is crazy. But crazier still it will pass a corporate scan !!

2) Enable DES-CBC3-SHA then Risk accept the issue we move in 2017 to a new NETAPP with Ontap 9.x which can offer TLS 1.2 and other cipher suites.

 

Public