2016-12-20 05:33 AM
I have made the following observation in my environment and I am struggling to debug & find a resolution. We support a very mixed
environment of LINUX / AIX / SOLARIS / HPUX . Our LDAP is on both Ubuntu or Solaris and all run OpenLDAP.
Since we updated the Ubuntu openssl level for this alert:
Our N-Series servers (ontap Ontap 8.2.4P3 7-Mode) are failing to connect to the Ubuntu OPENLDAP via TLS Now
Dec 20 07:21:50 ldap7 slapd: conn=3231 fd=25 ACCEPT from IP=22.214.171.124:39304 (IP=0.0.0.0:636)
Dec 20 07:21:50 ldap7 slapd: conn=3231 fd=25 closed (TLS negotiation failure)
My initial thoughts was that the (CVE-2016-2183) moving DES / 3DES to MEDIUM was the issue, so I extended the
LDAP allowed ciphers include MEDIUM. However TLS negotiation still fails.
Can anyone tell me what ciphers a Ontap client sends to the LDAP server during the TLS handshake so I can test
openssl s_client -connect ldap6:636 -tls1 -cipher AES128-SHA
The theory being if the LDAP is rejecting the ciphers or TLS level the above command would simulate it.
Another option maybe wireshark to see the handshake but as I type this option is not open to me currently/
Any thoughts People ?
2016-12-21 06:14 AM
More Information in case anyone is following this:
The problem is for me DES-CBC3-SHA is used by Ontap 8.2.4 to establish TLS communications. This is a cipher used by TLS1 and SSLV3. The problem is Openssl has just regraded all 3DES from HIGH to MEDIUM. This is causing this cipher to become unavailable to the LDAP servers and hence the Ontap 8.2.4 which uses it to establish TLS. Which now can nolonger communicate to our corporate LDAP servers securely. As a corporate we BAN LOW / MEDIUM ciphers + SSlv2/3 . TLS1 is allowed but only just ! TLS1.2 is preferred however ontap 8.2.4 does not support TLS1.2.
I see this problem only getting worse as different vendors roll out the openssl changes for 3DES. My servers are Ubuntu and Solaris. Ubuntu being very quick to rollout the new patches are failing today. I expect the Solaris LDAP servers to also stop talking to Ontap 8.2.4 over TLS once new patches are applied.
Currently I see the options being:
1) Run non-ssl, which is crazy. But crazier still it will pass a corporate scan !!
2) Enable DES-CBC3-SHA then Risk accept the issue we move in 2017 to a new NETAPP with Ontap 9.x which can offer TLS 1.2 and other cipher suites.