[Freeipa-users] FreeIPA Server with ECC certificate in LDAPS (389DS)
Alexander Bokovoy
abokovoy at redhat.com
Fri Nov 6 11:50:04 UTC 2015
On Fri, 06 Nov 2015, Marat Vyshegorodtsev wrote:
>Actually, looking at the source code of 389DS it is impossible.
>
>
>I gave up.
>
>
>http://fossies.org/linux/389-ds-base/ldap/servers/slapd/ssl.c
>(see screenshot)
>
>
>Only RSA and some mysterious Fortezza are allowed. NSS'
>SSL_ConfigSecureServer actually does support kt_dh, not sure if it applies
>to ECDH as well.
>
>I think working around 389DS' SSL code would be harder than just wrapping
>port 389 into stunnel, but FreeIPA installer doesn't allow the port 636 to
>be used by anyone else.
>
>Seriously, can we just drop Apache+mod_nss and LDAP+libnss? Instead, have
>the web GUI wrapped into nginx and LDAP into stunnel?
>
>One may argue that there won't be single sign-on, because Kerberos, but is
>anyone seriously using IE anymore?
How IE is relevant here? Are you stuck on Windows without real browsers?
On port 389 we are using SASL GSSAPI which gives you both encryption and
signing.
Anyway, I think you are just steaming your frustration here. If you want
constructive discussion, maybe let's start with filing a number of
tickets to 389-ds and FreeIPA to support ECC certificates?
Automating detection and enabling correct cipher types is certainly
worth it.
>As you might have seen from a parallel thread, NSS does a terrible job with
>sslabs by default. It is almost 2016, TLSv1.3 will be released soon, but it
>barely had support of TLSv1.2.
>As for now, I suggest writing it in docs and add a check to ipa CLI tools
>not to allow ECC certs.
I'm getting A- from ssllabs checks for my server with RSA certificate
and mod_nss, what I'm doing wrong?
A- is mostly for lack of PFS and some certificate chain excess that I'm
planning to fix soon.
HTTP server signature:
Apache/2.4.16 (Fedora) mod_auth_gssapi/1.3.1 mod_nss/2.4.16 NSS/3.19.3 Basic ECC PHP/5.6.14 mod_wsgi/4.4.8 Python/2.7.10
It is Fedora 22 with FreeIPA 4.2.2.
>Marat
>
>2015年11月6日(金) 17:50 Martin Kosek <mkosek at redhat.com>:
>
>> On 11/05/2015 02:39 PM, Marat Vyshegorodtsev wrote:
>> > Hi!
>> >
>> > I've been fighting for the past week with FreeIPA and trying to make
>> > it work with my own CA certificate that is ECDSA_SHA256.
>> >
>> > Even though I somehow fixed /etc/httpd/conf.d/nss.conf to make it work
>> > (basically added correct NSSCipherSuite), LDAP (389DS) is a tough nut.
>> >
>> > The command I used is:
>> >
>> > ipa-server-install --mkhomedir --hostname 'ipa.mydomain.com' --realm
>> > MYDOMAIN.COM --domain mydomain.com --ds-password 'DS_PASSWORD_HERE'
>> > --admin-password 'ADMIN_PASSWORD_HERE' --no-ntp --unattended
>> > --no-host-dns --dirsrv-cert-file /etc/ipa/ipa.p12 --http-cert-file
>> > /etc/ipa/ipa.p12 --dirsrv-pin 'PIN_FOR_CERT' --http-pin 'PIN_FOR_CERT'
>> > --ca-cert-file /etc/ipa/myownca.pem
>> >
>> > In this case, installation fails at the following step:
>> > Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
>> > 'ipa.rpay.us' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
>> > '/var/lib/ipa/tmp5KkCae' '-T' '/var/lib/ipa/tmpTC27Ap'
>> > 'uid=admin,cn=users,cn=accounts,dc=rpay,dc=us'' returned non-zero exit
>> > status 1
>> >
>> > In /var/log/ipaserver-install.log I see a message:
>> > DEBUG stderr=ldap_start_tls: Protocol error (2)
>> > additional info: SSL not supported by this server.
>> >
>> > Basically, LDAP is broken now (it doesn't allow connecting without -ZZ
>> > flag, and fails with it, since TLS is misconfigured at this point).
>> >
>> > What actually happens, LDAP gets configured to use RSA as a key
>> > exchange algorithm, and fails, since the cert is an ECC cert.
>> >
>> > In /var/log/dirsrv/slapd-MYDOMAIN-COM/errors you can see:
>> > [05/Nov/2015:12:22:36 +0000] - SSL alert: ConfigSecureServer: Server
>> > key/certificate is bad for cert FreeIPA of family
>> > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -12200
>> > - The certificate provided cannot be used with the selected key
>> > exchange algorithm.)
>> >
>> > This is configured by ipaserver/install/dsinstance.py under def
>> __enable_ssl:
>> >
>> > entry = conn.make_entry(
>> > DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
>> > objectclass=["top", "nsEncryptionModule"],
>> > cn=["RSA"],
>> > nsSSLPersonalitySSL=[self.nickname],
>> > nsSSLToken=["internal (software)"],
>> > nsSSLActivation=["on"],
>> > )
>> > conn.add_entry(entry)
>> >
>> > My question is, is it possible to replace RSA with ECDSA here? If so,
>> > what parameters should I pass to LDAP?
>>
>> Honza or Ludwig, do you know? This is certainly an uncharted territory,
>> you are
>> the first person I know about trying to install FreeIPA CA-less with ECC
>> certificate.
>>
>> There is a ticket to get ECC support in PKI (i.e. not CA-less), but it was
>> not
>> completed yet:
>> https://fedorahosted.org/freeipa/ticket/3951
>>
>> >
>> > If this is fixable, can someone add autodetect of the type of the
>> > certificate and enable appropriate algorithms in LDAP and Apache?
>> >
>> > Best regards,
>> > Marat Vyshegorodtsev
>> >
>>
>>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list