Security

SSL LDAP breaks from 6.3.3 to 6.3.5

schose
Builder

Hi forum,

I updated my search head from 6.3.3 to 6.3.5. After the update, LDAP with SSL isn't working anymore.
splunkd.log tells me:

07-19-2016 13:02:23.647 +0200 ERROR ScopedLDAPConnection - strategy="LDAP" Error binding to LDAP. reason="Can't contact LDAP server".

LDAP server is surely reachable. In log of the LDAP server we see that the client is terminating the connection.

sudo /opt/splunk/bin/splunk  cmd openssl s_client -showcerts -host ldapserver -port 636 

tells me at a certain point

---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 768 bits
---
SSL handshake has read 7139 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)

This is different to 6.3.3...

Any hints?!

Thanks for your help in advance,

Andreas

1 Solution

schose
Builder

Hi all,

as matthias wrote adding:

TLS_CIPHER_SUITE HIGH:!DHE

to etc/openldap/ldap.conf fixes the issue. It seems if openssl 1.0.2g does not accept DH with short key sizes.

Thx all for your help!

Andreas

View solution in original post

0 Karma

mgaraventa_splu
Splunk Employee
Splunk Employee

Considering that 6.3.4 and 6.3.5 now use a new openssl version, due to new vulnerabilities found, the LDAP server needs to have the most up-to-date default cipher list in order to be approved by the splunk default cipher list.

If it is not possible to update the default cipher list on the LDAP server (AD 2003 for instance is buggy and update won't be possible - SPL-109427), then following workaround should be applied:

1) obtain Ciphers configured on your LDAP server.
2) tweak TLS_CIPHER_SUITE command in etc/openldap/ldap.conf to match it.

HTH.

schose
Builder

Hi all,

as matthias wrote adding:

TLS_CIPHER_SUITE HIGH:!DHE

to etc/openldap/ldap.conf fixes the issue. It seems if openssl 1.0.2g does not accept DH with short key sizes.

Thx all for your help!

Andreas

0 Karma

rafamss
Contributor

Put the string below in your ldap.conf file ($SPLUNK_HOME/etc/openldap/certs) and see if this is fixed.

TLS_CIPHER_SUITE HIGH:MEDIUM:@STRENGTH:+3DES:+RC4:!aNULL:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED,!IDEA:!RC2:!RC5

msche
New Member

We know this issue, using a special LDAP-environment.
Specs are described at
https://www.openssl.org/docs/manmaster/apps/ciphers.html

We had to add in /etc/openldap/ldap.conf something like this:
TLS_CIPHER_SUITE HIGH:!DHE

To use secific ssl-parameter for the LDAP-connection

This issue was described within RN 6.3.5 SPL-109427

Matthias

0 Karma

schose
Builder

Hi Matthias,

thx. this fixes our issue!

0 Karma

msche
New Member

We know this issue, using a special LDAP-environment.
Specs are described at
https://www.openssl.org/docs/manmaster/apps/ciphers.html

We had to add in /etc/openldap/ldap.conf something like this:
TLS_CIPHER_SUITE HIGH:!DHE

To use secific ssl-parameter for the LDAP-connection

This issue was described within RN 6.3.5 SPL-109427

Matthias

0 Karma

schose
Builder

fyi: same issue with v6.3.4

0 Karma

schose
Builder

We does not change any LDAP configuration, however we see that openssl have been updated to 1.0.2g. It seems that ldap client could be configured with etc/openldap/ldap.conf ?! We are pretty sure that the current openldap release does not execept DH with 768bit server keys and we need to adjust cipher suites.

0 Karma

hardikJsheth
Motivator

Can you share your ldap configuration ? Have you added configuration in authentication.conf file under auth app?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...