TLS Issue: Could not negotiate a supported cipher suite..

[legoheld]

When I run the latest image with:

docker pull osixia/openldap
docker run -d -p 390:389 -p 636:636 -h ldap.***.com --name="ldaps" osixia/openldap

And i try to search on the directory over LDAPS with:

ldapsearch -x -h ldap.***.com -p 390 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -Z

I get to following log output and TLS negotiation failure:

55ddb430 @(#) $OpenLDAP: slapd  (Apr 12 2015 14:28:03) $
    root@chimera:/tmp/buildd/openldap-2.4.40+dfsg/debian/build/servers/slapd
TLS: warning: ignoring dhfile
55ddb431 slapd starting
55ddb43a conn=1000 fd=20 ACCEPT from IP=84.253.47.226:59879 (IP=172.17.0.185:389)
55ddb43a conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
55ddb43a conn=1000 op=0 STARTTLS
55ddb43a conn=1000 op=0 RESULT oid= err=0 text=
TLS: can't accept: Could not negotiate a supported cipher suite..
55ddb43a conn=1000 fd=20 closed (TLS negotiation failure)

I also tried to connect over ldaps:// with:

ldapsearch -x -H ldaps://ldap.***.com -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

But I got the same "Could not negotiate a supported cipher suite.." exception.
Is there anything I've done wrong or is there an issue with the image?

[osixia]

It looks like openldap required cipher suite can't be satisfied by your host.
Try updating openssl / gnutls-bin on the host where you ran the ldapsearch command.

The other option is to be more permissive on the cipher suite :
Change or delete the line with olcTLSCipherSuite in image/service/slapd/assets/config/tls/tls-enable.ldif and rebuild the image.

Note that by default the tls configuration also require a client certificate so if you conform with the cipher suite you will probably have an other issue right away.

if you don't want to check client certificate also change olcTLSVerifyClient: demand to olcTLSVerifyClient: never in image/service/slapd/assets/config/tls/tls-enable.ldif

[osixia]

More help:
http://www.openldap.org/doc/admin24/tls.html

[osixia]

A new version of the image is now available: 1.0.2

It's offer new TLS environment variables that make TLS configuration more customizable.
(see project readme)

with the new image you can try :

docker run -p 390:389 -p 636:636  -h ldap.***.com --name="ldaps"  -e LDAP_TLS_PROTOCOL_MIN=3.0 -e LDAP_TLS_CIPHER_SUITE=NORMAL -e LDAP_TLS_VERIFY_CLIENT=never -d osixia/openldap:1.0.2

and

ldapsearch -x -h ldap.***.com -p 390 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -Z

does it solve this issue ?

[legoheld]

Hi,
Thanks for your support!
I tried and I get to following error on the client:

ldapsearch -x -h ldap.lernetz.ch -p 390 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -Z
ldap_start_tls: Connect error (-11)
    additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
ldap_result: Can't contact LDAP server (-1)

Makes sense as you generate a self signed certificate that I dont trust on the client.
Let me check that again with my own certificates. I will keep you informed.

[vitosans]

Ran into the same issue, only I was providing my own real certs. I think it has to do with gnutls. Will do more research and post back.

[arun-imaginea]

Thanks for the env variables LDAP_TLS_CIPHER_SUITE and LDAP_TLS_VERIFY_CLIENT, I had a similar situation and it worked once I set these variable as suggested.

[phutchins]

I'm hitting this issue as well and can't seem to get it working even with the added options of...
LDAP_TLS_VERIFY_CLIENT=never
LDAP_TLS_PROTOCOL_MIN=3.0
LDAP_TLS_CIPHER_SUITE=NORMAL

On the client side, I'm running ldapsearch -d 1 -H ldaps://my-openldap:636 -Z

and getting...

A TLS packet with unexpected length was received

On the server side i'm seeing...

TLS: Can't accept: Could not negotiate a supported cipher suite..

Any thoughts?

[rudyzhou2]

My issue ended up being that gnutls/openssl on my server were not updated enough to support TLS_PROTOCOL_MIN 3.0 and the Normal Cipher (SECURE192:+VERS-SSL3.0)

The symptom is as following:
I was able to handshake and get certificate via

openssl s_client -connect [client address and port]

but slapd log shows the error message using ldapsearch -H ldaps://xxx

TLS: unsupported cipher xxx

Ended up setting

LDAP_TLS_VERIFY_CLIENT=never
LDAP_TLS_PROTOCOL_MIN=1.2
LDAP_TLS_CIPHER_SUITE=SECURE128:-VERS-SSL3.0:+VERS-TLS1.2

not the greatest security but was able to get the authentication going without issues.

[osixia]

@rudyzhou2 thanks for your feedback :)

[rudyzhou2]

Amazing container, made my ldap life so much easier! Thank you so much, really appreciate it!

[afrazkhan]

I'd like to reopen this. Even downgrading the settings for TLS as above (and checking that I have those available), did not solve this for me. I still get the same error: "ignoring dhfile".

[Avalarion]

Any updates on those problems?

[obriensystems]

Out of the box 1.1.8 image fails on
openldap | TLS: can't accept: Could not negotiate a supported cipher suite..

for
3977655f777a some.url:5000/teesnap-openldap:4 "/container/tool/run" 7 days ago Up 53 minutes 0.0.0.0:389->389/tcp, 0.0.0.0:636->636/tcp

[EugenMayer]

Just in case that still in question here, e.g. for getting the LDAPS connection to work with nexus reporstory manager i had to add NORMAL: to SECURE256:-VERS-SSL3.0, so NORMAL:SECURE256:-VERS-SSL3.0

startTLS will work with SECURE256:-VERS-SSL3.0 though on other clients.

So maybe the default is a bit too tight, but maybe there is no such thing. You might just want the cipher selection to be part of the primary steps in the docs, since the clients are not too verbose about the connection issue and people could take a while. My client did not say anything, but the server logs did.

[jjreed05]

Any update?