Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mod_shared_roster_ldap: In state hello received SERVER ALERT: Fatal - Handshake Failure #3496

Closed
stephdl opened this issue Jan 21, 2021 · 18 comments
Closed

mod_shared_roster_ldap: In state hello received SERVER ALERT: Fatal - Handshake Failure #3496

stephdl opened this issue Jan 21, 2021 · 18 comments
Labels
Component:LDAP

Comments

@stephdl
Copy link

stephdl commented Jan 21, 2021
edited

Environment

  • ejabberd version: 20.12
  • Erlang version: erl +V
[root@ns7loc14 ~]# /opt/ejabberd-20.12/bin/erl +V
Erlang (SMP,ASYNC_THREADS,HIPE) (BEAM) emulator version 10.3.4
  • OS: Linux centos7.9
  • Installed from: official rpm from the project
[root@ns7loc14 ~]# rpm -qa ejabberd
ejabberd-20.12-0.x86_64

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

[root@ns7loc14 ~]# grep -Ev '^$|^\s*#' /etc/ejabberd/ejabberd.yml
loglevel: 4
log_rotate_count: 0
hosts:
  - "nethservertest.org"
define_macro:
  'CERTFILE': "/etc/ejabberd/ejabberd.pem"
  'TLSOPTS':
    - "no_sslv3"
    - "no_tlsv1"
    - "no_tlsv1_1"
    - "cipher_server_preference"
  'CIPHERS': "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:
    +kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!SSLv3:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES"
certfiles:
    - 'CERTFILE'
listen:
  - 
    port: 5222
    ip: "0.0.0.0"
    module: ejabberd_c2s
    protocol_options: 'TLSOPTS'
    starttls: true
    starttls_required: true
    max_stanza_size: 65536
    shaper: c2s_shaper
    access: c2s
    ciphers: 'CIPHERS'
  - 
    port: 5223
    ip: "0.0.0.0"
    module: ejabberd_c2s
    access: c2s
    shaper: c2s_shaper
    tls: true
    protocol_options: 'TLSOPTS'
    max_stanza_size: 65536
    ciphers: 'CIPHERS'
  - 
    port: 5280
    ip: "0.0.0.0"
    module: ejabberd_http
    tls: true
    request_handlers:
      "/websocket": ejabberd_http_ws
      "/api": mod_http_api
      "/bosh": mod_bosh
      
    captcha: false
    protocol_options: 'TLSOPTS'
    ciphers: 'CIPHERS'
s2s_use_starttls: required
auth_method: external
extauth_program: "/usr/libexec/nethserver/ejabberd-auth"
extauth_pool_size: 4
auth_use_cache: false
api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      - access:
          - allow:
            - ip: "127.0.0.1/8"
            - acl: admin
      - oauth:
        - scope: "ejabberd:admin"
        - access:
          - allow:
              - ip: "127.0.0.1/8"
              - acl: admin
    what:
      - "*"
      - "!stop"
      - "!start"
  "public commands":
    who:
      - ip: "127.0.0.1/8"
    what:
      - "status"
      - "connected_users_number"
acl:
  admin:
    user:
  local:
    user_regexp: ""
  loopback:
    ip:
      - "127.0.0.0/8"
shaper:
  normal: 500000
  fast: 1000000
max_fsm_queue: 10000
shaper_rules:
  max_user_sessions: 10
  max_user_offline_messages:
    - 5000: admin
    - 100
  c2s_shaper:
    - none: admin
    - normal
  s2s_shaper: fast
access_rules:
  local:
    - allow: local
  c2s:
    - deny: blocked
    - allow
  announce:
    - allow: admin
  configure:
    - allow: admin
  muc_create:
    - allow: local
  pubsub_createnode:
    - allow: local
  register:
    - deny
  trusted_network:
    - allow: loopback
language: "en"
allow_contrib_modules: true
modules:
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce: # recommends mod_adhoc
    access: announce
  mod_blocking: {} # requires mod_privacy
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {} # requires mod_adhoc
  mod_disco: {}
  mod_bosh: {}
  mod_last: {}
  mod_muc:
    access:
      - allow
    access_admin:
      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
  mod_muc_admin: {}
  mod_offline:
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  mod_privacy: {}
  mod_private: {}
  mod_pubsub:
    access_createnode: pubsub_createnode
    ignore_pep_from_offline: true
    last_item_cache: false
    plugins:
      - "flat"
      - "pep" # pep requires mod_caps
  mod_register:
    welcome_message:
      subject: "Welcome!"
      body: |-
        Hi.
        Welcome to nethservertest.org XMPP server.
    ip_access: trusted_network
    access: register
  mod_roster: {}
  mod_shared_roster: {}
  mod_vcard:
    search: false
  mod_version: {}
  mod_stream_mgmt: {}
  mod_s2s_dialback: {}
  mod_http_api: {}
  mod_shared_roster_ldap:
     ldap_base: "dc=directory,dc=nh"
     ldap_encrypt: tls
     ldap_tls_verify: false
     ldap_groupattr: "cn"
     ldap_groupdesc: "o"
     ldap_memberattr: "uid"
     ldap_memberattr_format: "%u"
     ldap_password: "V_85617fr2bK3Csj"
     ldap_port: 636
     ldap_rfilter: "(objectClass=posixAccount)"
     ldap_rootdn: "cn=ldapservice,dc=directory,dc=nh"
     ldap_servers: ["192.168.56.12"]
     ldap_ufilter: "(uid=%u)"
     ldap_useruid: "uid"

Errors from error.log/crash.log

No errors from crash.log, only from /var/log/ejabberd/ejabberd.log

2021-01-21 17:58:51.998 [notice] <0.120.0>@lager_file_backend:152 Changed loghwm of /var/log/ejabberd/error.log to 100
2021-01-21 17:58:51.998 [notice] <0.120.0>@lager_file_backend:152 Changed loghwm of /var/log/ejabberd/ejabberd.log to 100
2021-01-21 17:58:52.116 [info] <0.106.0>@ejabberd_config:load:82 Loading configuration from /etc/ejabberd/ejabberd.yml
2021-01-21 17:58:52.333 [warning] <0.106.0>@gen_mod:warn_soft_dep_fail:582 Module mod_mam is recommended for module mod_muc but is not found in the config
2021-01-21 17:58:52.355 [info] <0.106.0>@ejabberd_config:load:89 Configuration loaded successfully
2021-01-21 17:58:52.725 [info] <0.335.0>@gen_mod:start_modules:130 Loading modules for nethservertest.org
2021-01-21 17:58:52.929 [error] <0.433.0>@eldap:connect_bind:1073 LDAP connection to 192.168.56.12:636 failed: received CLIENT ALERT: Fatal - Handshake Failure
2021-01-21 17:58:52.929 [info] <0.442.0> TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure

2021-01-21 17:58:52.988 [info] <0.106.0>@ejabberd_cluster_mnesia:wait_for_sync:123 Waiting for Mnesia synchronization to complete
2021-01-21 17:58:53.038 [warning] <0.359.0>@ejabberd_pkix:log_warnings:393 Invalid certificate in /etc/ejabberd/ejabberd.pem: at line 29: self-signed certificate
2021-01-21 17:58:53.200 [warning] <0.359.0>@ejabberd_pkix:check_domain_certfiles:312 No certificate found matching nethservertest.org
2021-01-21 17:58:53.200 [warning] <0.359.0>@ejabberd_pkix:check_domain_certfiles:312 No certificate found matching conference.nethservertest.org
2021-01-21 17:58:53.201 [warning] <0.359.0>@ejabberd_pkix:check_domain_certfiles:312 No certificate found matching pubsub.nethservertest.org
2021-01-21 17:58:53.201 [info] <0.106.0>@ejabberd_app:start:62 ejabberd 20.12 is started in the node ejabberd@localhost in 1.40s
2021-01-21 17:58:53.201 [warning] <0.451.0>@ejabberd_acme:request_on_start:593 No HTTP listeners for ACME challenges are configured, automatic certificate requests are aborted. Hint: configure the listener and restart/reload ejabberd. Or set acme->auto option to `false` to suppress this warning.
2021-01-21 17:58:53.202 [info] <0.356.0>@ejabberd_listener:init:159 Start accepting TCP connections at 0.0.0.0:5222 for ejabberd_c2s
2021-01-21 17:58:53.202 [info] <0.357.0>@ejabberd_listener:init:159 Start accepting TLS connections at 0.0.0.0:5223 for ejabberd_c2s
2021-01-21 17:58:53.202 [info] <0.358.0>@ejabberd_listener:init:159 Start accepting TLS connections at 0.0.0.0:5280 for ejabberd_http
2021-01-21 17:58:53.438 [info] <0.503.0> TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure

2021-01-21 17:58:53.438 [error] <0.433.0>@eldap:connect_bind:1073 LDAP connection to 192.168.56.12:636 failed: received CLIENT ALERT: Fatal - Handshake Failure
2021-01-21 17:58:53.943 [info] <0.509.0> TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure

2021-01-21 17:58:53.943 [error] <0.433.0>@eldap:connect_bind:1073 LDAP connection to 192.168.56.12:636 failed: received CLIENT ALERT: Fatal - Handshake Failure

Bug description

We provide a server configuration for ejabberd with an account provider that you can use locally or remotely based on samba AD or openldap.

  • the ldap ssl over 636 tcp port for samba AD gets no issue
  • the ldap in plain text over 389 tcp port gets no issue for openldap

We can bind remotely or locally our applications to openldap in plain text or encrypted therefore we have a workable configuration but ejabberd got an error about tls handshake failure when we try to use ldaps over 636, no matter it is local or remote openldap

If I change the account provider on the same server to samba AD I have no error, so it is not a certificate issue

I read in another issue #2344 (comment) and it seems that the downgrade to erlang 19 fixed the issue.
@prefiks
Copy link
Member

prefiks commented Jan 22, 2021

Could you check if there is anything in logs of your ldap server about this? From that error message it seems that this error is generated by your server, so it's hard to tell on client side what causes it.

@stephdl
Copy link
Author

stephdl commented Jan 22, 2021

Will check it, no problem on it, our concerns is that we use other applications that bind also to openldap with ssl over 636 port. So normally we should have a workable solution.

Will check and report, thank for your input

@stephdl
Copy link
Author

stephdl commented Jan 22, 2021
edited

in /var/log/slapd in can see

Jan 22 14:29:03 ns7loc11 slapd[10993]: conn=1271 fd=24 ACCEPT from IP=192.168.56.241:42792 (IP=0.0.0.0:636)
Jan 22 14:29:03 ns7loc11 slapd[10993]: conn=1271 fd=24 closed (TLS negotiation failure)

like in ejabber log

when I test externally my connectivity to my ldap server I have

[root@ns7loc14 ~]# nmap  --script ssl-enum-ciphers 192.168.56.12 -p 636

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-22 14:29 CET
Nmap scan report for ns7loc11.nethservertest.org (192.168.56.12)
Host is up (0.00047s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: weak
MAC Address: 52:54:00:8A:0E:24 (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds

To be sure that my openldap server get the wide cipher audience, I use in /etc/openldap/slapd.d/cn=config.ldif

olcTLSProtocolMin: 3.0
olcTLSCipherSuite: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

What ciphers and ssl protocol eldap is supposed to use ?

@prefiks
Copy link
Member

prefiks commented Jan 22, 2021

Available ciphers depends mostly on erlang/openssl in your system. Could you running ejabberd debug console: ejabberdctl debug and inside this could you try executing this: ssl:connect("192.168.56.12", 636, [{log_level, debug}]). and see what this produce? You can close console later with double ctrl-c.

@stephdl
Copy link
Author

stephdl commented Jan 22, 2021 

[root@ns7loc14 testssl.sh]# systemctl status  ejabberd
● ejabberd.service - ejabberd XMPP Server
   Loaded: loaded (/usr/lib/systemd/system/ejabberd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-01-22 14:56:51 CET; 1h 5min ago
   CGroup: /system.slice/ejabberd.service
           ├─18492 /opt/ejabberd-20.12/bin/epmd -daemon
           ├─18494 /opt/ejabberd-20.12/bin/beam.smp -K true -P 250000 -- -root /opt/ejabberd-20.12 -progname /opt/ejabberd-20.12/b...
           ├─18502 erl_child_setup 65536
           ├─18532 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
           ├─18533 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
           ├─18534 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
           ├─18535 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
           └─18536 /opt/ejabberd-20.12/lib/os_mon-2.4.7/priv/bin/memsup

Jan 22 14:56:48 ns7loc14.nethservertest.org systemd[1]: Starting ejabberd XMPP Server...
Jan 22 14:56:51 ns7loc14.nethservertest.org systemd[1]: Started ejabberd XMPP Server.
[root@ns7loc14 testssl.sh]# /opt/ejabberd-20.12/bin/ejabberdctl debug
--------------------------------------------------------------------

IMPORTANT: we will attempt to attach an INTERACTIVE shell
to an already running ejabberd node.
If an ERROR is printed, it means the connection was not successful.
You can interact with the ejabberd node if you know how to use it.
Please be extremely cautious with your actions,
and exit immediately if you are not completely sure.

To detach this shell from ejabberd, press:
  control+c, control+c

--------------------------------------------------------------------
To bypass permanently this warning, add to ejabberdctl.cfg the line:
  EJABBERD_BYPASS_WARNINGS=true
Press return to continue


Erlang/OTP 21 [erts-10.3.4] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]

Eshell V10.3.4  (abort with ^G)
(ejabberd@localhost)1> ssl:connect("192.168.56.12", 636, [{log_level, debug}]).
{error,{options,{socket_options,[{log_level,debug},
                                 {packet_size,0},
                                 {packet,0},
                                 {header,0},
                                 {active,false},
                                 {mode,binary}]}}}
(ejabberd@localhost)2> ssl:connect("192.168.56.12", 636, [{log_level, debug}]) 
(ejabberd@localhost)2>

Not sure about the trailing dot, I tested the two cases

@prefiks
Copy link
Member

prefiks commented Jan 22, 2021

Yeah, dot is needed, but looks like this version of erlang doesn't recognize this option, i think log_level was added only in most recent version.

@stephdl
Copy link
Author

stephdl commented Jan 22, 2021 

(ejabberd@localhost)7> ssl:connect("192.168.56.12", 636, []).
{error,{tls_alert,{handshake_failure,"received CLIENT ALERT: Fatal - Handshake Failure"}}}

not sure it helps, but erlang cannot connect itself :|

@prefiks
Copy link
Member

prefiks commented Jan 22, 2021

Yes, this is exactly what ldap modules use to communicate over tls, that's why i asked you in first place to try with debug log_level, i was hoping that it show what it tries to negotiate.

@stephdl
Copy link
Author

stephdl commented Jan 22, 2021 

[root@ns7loc14 testssl.sh]# nmap  --script ssl-enum-ciphers 192.168.56.12 -p 636

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-22 17:35 CET
Nmap scan report for ttt.nethservertest.org (192.168.56.12)
Host is up (0.00048s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: weak
MAC Address: 52:54:00:8A:0E:24 (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

testing to use strong cipher with openldap

[root@ns7loc11 ~]# ldapmodify -Y EXTERNAL <<EOF
dn: cn=config
changetype: modify
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.3
EOF

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

like you can see with nmap, my slapd server talk only tls1.2

I wanted to see if eldap wanted to talk only with high ciphers

however it is the same

(ejabberd@localhost)1> ssl:connect("192.168.56.12", 636, []).
{error,{tls_alert,{handshake_failure,"received CLIENT ALERT: Fatal - Handshake Failure"}}}
(ejabberd@localhost)2>

@stephdl
Copy link
Author

stephdl commented Jan 22, 2021
edited

Even with a really strict policy, this is a workable bind of dokuwiki for the user admin

Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2070 fd=23 ACCEPT from IP=192.168.56.241:60898 (IP=0.0.0.0:636)
Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2070 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2071 fd=23 ACCEPT from IP=192.168.56.241:49325 (IP=0.0.0.0:636)
Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2071 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 fd=23 ACCEPT from IP=192.168.56.241:43872 (IP=0.0.0.0:636)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 fd=23 TLS established tls_ssf=256 ssf=256
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=0 BIND dn="cn=ldapservice,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=0 BIND dn="cn=ldapservice,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=0 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 BIND anonymous mech=implicit ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 BIND dn="cn=ldapservice,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 BIND dn="cn=ldapservice,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=2 SRCH base="ou=People,dc=directory,dc=nh" scope=2 deref=0 filter="(|(uid=admin)(mail=admin))"
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (uid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=3 SRCH base="ou=Groups,dc=directory,dc=nh" scope=2 deref=0 filter="(memberUid=admin)"
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=3 SRCH attr=cn
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (memberUid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 BIND anonymous mech=implicit ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 BIND dn="uid=admin,ou=People,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 BIND dn="uid=admin,ou=People,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 BIND anonymous mech=implicit ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 BIND dn="cn=ldapservice,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 BIND dn="cn=ldapservice,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=6 SRCH base="ou=People,dc=directory,dc=nh" scope=2 deref=0 filter="(|(uid=admin)(mail=admin))"
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (uid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=7 SRCH base="ou=Groups,dc=directory,dc=nh" scope=2 deref=0 filter="(memberUid=admin)"
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=7 SRCH attr=cn
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (memberUid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=8 UNBIND
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 fd=23 closed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2073 fd=23 ACCEPT from IP=192.168.56.241:39538 (IP=0.0.0.0:636)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2073 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2074 fd=23 ACCEPT from IP=192.168.56.241:58724 (IP=0.0.0.0:636)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2074 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:35 ns7loc11 slapd[29957]: conn=2075 fd=23 ACCEPT from IP=192.168.56.241:33552 (IP=0.0.0.0:636)
Jan 22 17:40:35 ns7loc11 slapd[29957]: conn=2075 fd=23 closed (TLS negotiation failure)

either my ejabberd configuration is bad, or something doesn't work as expected in ejabberd for openldap

:-?

this is the dokuwiki configuration


$conf['authtype'] = 'authldap';
$conf['plugin'][$conf['authtype']]['server'] = "ldaps://192.168.56.12:636";
$conf['plugin'][$conf['authtype']]['version'] = '3';
$conf['plugin'][$conf['authtype']]['usertree'] = "ou=People,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['grouptree'] = "ou=Groups,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['userfilter'] = '(|(uid=%{user})(mail=%{user}))';
$conf['plugin']['authldap']['groupfilter']  = '(memberUid=%{uid})';
$conf['plugin'][$conf['authtype']]['groupkey'] = 'cn';
$conf['plugin']['authldap']['binddn']     = "cn=ldapservice,dc=directory,dc=nh";
$conf['plugin']['authldap']['bindpw']     = "V_85617fr2bK3Csj";
$conf['plugin']['authldap']['starttls']   = 0;
$conf['plugin']['authldap']['modPass'] = 0;

@nosnilmot
Copy link
Contributor

when I test externally my connectivity to my ldap server I have

That list only includes RSA key-exchange ciphers. Erlang/OTP >= 21 disables those by default.

olcTLSProtocolMin: 3.0
olcTLSCipherSuite: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

I would expect that to include far more than just the RSA key exchange ciphersuites reported by nmap. What does this report for you, on the same system?:

openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW'

@stephdl
Copy link
Author

stephdl commented Jan 23, 2021
edited

I think we run default of centos 7.9

on the server running openldap

[root@ns7loc11 ~]# openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA1
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA128-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA128-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(128) Mac=SHA1
AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
DH-DSS-SEED-SHA         SSLv3 Kx=DH/DSS   Au=DH   Enc=SEED(128) Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA     SSLv3 Kx=DH/DSS   Au=DH   Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=SHA1
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=MD5 
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5 
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5

on the server running ejabberd

[root@ns7loc14 ~]# openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA1
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA128-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA128-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(128) Mac=SHA1
AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
DH-DSS-SEED-SHA         SSLv3 Kx=DH/DSS   Au=DH   Enc=SEED(128) Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA     SSLv3 Kx=DH/DSS   Au=DH   Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=SHA1
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=MD5 
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5 
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5

@nosnilmot
Copy link
Contributor

On RHEL/CentOS OpenLDAP uses NSS for SSL/TLS, not OpenSSL, so that check wasn't particularly useful, sorry.

Do you have a DH Parameter file (olcTLSDHParamFile) configured for OpenLDAP? See https://access.redhat.com/articles/1474813 for how to create one.

@stephdl
Copy link
Author

stephdl commented Jan 24, 2021

thank for your help, I do not think we have a dh key for our configuration, I will report it

@stephdl
Copy link
Author

stephdl commented Jan 25, 2021
edited

I think I owe you a beer, when I can pay you something to drink, do you waste time at FOSDEM ?

The key is ER21 expect a dh key, I run a default TLS openldap on Centos7 but without dh key

[root@ns7loc11 ~]# openssl dhparam -out /etc/openldap/certs/slapd.dh.params.tmp 1024
[root@ns7loc11 ~]# mv /etc/openldap/certs/slapd.dh.params.tmp  /etc/openldap/certs/slapd.dh.params
[root@ns7loc11 ~]# ldapmodify -Y EXTERNAL <<EOF
> dn: cn=config
> changetype: modify
> replace: olcTLSDHParamFile
> olcTLSDHParamFile:  /etc/openldap/certs/slapd.dh.params
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

[root@ns7loc11 ~]# ll /etc/openldap/certs/slapd.dh.params
-rw-r--r-- 1 root root 245 Jan 25 16:47 /etc/openldap/certs/slapd.dh.params
[root@ns7loc11 ~]# systemctl restart slapd

@stephdl
Copy link
Author

stephdl commented Jan 25, 2021

erlang21 expects TLS_DHE_RSA for the tls handshake

[root@ns7loc14 ~]# nmap  --script ssl-enum-ciphers 192.168.56.12 -p 636

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-25 21:48 CET
Nmap scan report for ttt.nethservertest.org (192.168.56.12)
Host is up (0.00048s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong
MAC Address: 52:54:00:E5:55:1E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds

@stephdl
Copy link
Author

stephdl commented Jan 27, 2021

I would like to close this issue but I think we could have something to do maybe in the documentation of ejabberd or you think that the documentation already states somewhere for this requirement ?

@stephdl stephdl mentioned this issue Feb 1, 2021
Closed
@stephdl
Copy link
Author

stephdl commented Feb 7, 2021

We closed the issue on our project, let close this one too, thank again for helping us to fix our issue.

@stephdl stephdl closed this as completed Feb 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component:LDAP
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@prefiks @badlop @stephdl @nosnilmot