6.4.3 is released but appears to have eDirectory SSL issues

After upgrading AAuth server to 6.4.3 release, no ldap syncing or login can happen if repository is eDirectory

LDAP connect error: ("('socket ssl wrapping error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1002)',)",); ['x.x.x.x.:636', 'x.x.x.x:636']

Rodney

If you found this post useful, give it a "Like" or click on "Verify Answer" under the "More" button.   This helps others.

Parents Reply Children
  • 0   in reply to   

    Thanks for notification. I also saw this in release notes:

    If you use eDirectory for your LDAP repository, before upgrading to Advanced Authentication 6.4 Service Pack 3, ensure to modify the LDAP server configuration in the NetIQ iManager for eDirectory to either one of the following ways:

    • To support the current strong set of TLS ciphers for RSA certificates

    • To use an Elliptic Curve Certificate (for example, SSL EC CertificateDNS)

    As somebody mentioned before, we also cannot switch to EC in near future, so I would like to know what exactly is "support the current strong set of TLS ciphers for RSA certificates".

    There is a link to KM (https://portal.microfocus.com/s/article/KM000029147?language=en_US), but this talks only about switching to EC.

    Kind regards, Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0   in reply to   

    Hello Sebastian,

    I will ask for more information on this, but I suppose it means to have eDir to use the latest ciphers set, that's all.

    It's not asking to switch to EC either, if you can. Either way.

    Thanks.

    Regards,

    Luciano Testa

  • 0   in reply to   

    I'm asking because there are multiple configurations on eDirectory LDAP server, like:

    - Bind restrictions for Ciphers (is High Cipher good enough or we need SuiteB?):

    - Protocols:

    - Or specify ciphers directly:

    I think documentation would need to be a bit more specific what is minimum requirement for AA TLS ciphers.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    This Knowledge article has changed. There was a version before, that contained information how to set ciphers for LDAP in iManager. Don't know why they changed it - accidentally or because the solution did not work?

  • 0 in reply to 

    "Change the certificate used by eDirectory to SSL EC CertificateDNS and perform  steps 3 - 5 above" when there's nothing in 

    https://portal.microfocus.com/s/article/KM000029147?language=en_US to read!

  • 0   in reply to 

    Hello,

    I have informed Product Management and Development about this. Right now I can't add anything else.

    Let's wait until they are online and can clarify this.

    Thanks.

    Regards,

    Luciano Testa

  • Suggested Answer

    0   in reply to 

    Uncheck all Protocols except tls 1.2

    in the Cypers box, enter the following

    DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

    Rodney

    If you found this post useful, give it a "Like" or click on "Verify Answer" under the "More" button.   This helps others.

  • 0   in reply to   

    I did upgrade to 6.4.3, without changing anything on eDirectory side synchronization is working.

    David

  • 0 in reply to   

    Which bind settings do you have for the LDAP server? If it's "High Cipher" I guess this what is meant by "the current strong set of TLS ciphers for RSA certificates" in the release notes.

    Next question would be: is this different for OES or eDirectory versions? Which version do you have?

  • Verified Answer

    0   in reply to 

    Hello,

    Here is the formal recommendation from engineering:

    In the new release of AA 6.4.3.0-340, we now support/use the set of cipher-suites configured in the Policies > HTTPS Options > Advanced SSL Settings > Pre-defined SSL ciphersuite options.  

    We recommend that customers change to use an EC certificate if they can.  Once using an EC certificate,  we also recommend that the Policies > HTTPS Options > Advanced SSL Settings > Pre-defined SSL ciphersuite options should be set to SSL Labs score:90 (#1) or SSL Labs score: 100 

    If a customer cannot use an EC certificate, they will need to use the "Less restrictive ciphers for backward compatibility" Pre-defined SSL ciphersuite. 

    Thanks.

    Regards,

    Luciano Testa