I have a linux system with a a version of
OpenSSL 0.9.8j-fips 07 Jan 2009 and an Apache
Server version: Apache/2.4.27 (Unix)
The Apache has issues connecting via secure LDAPS to a remote DC Windows 2016 server.
I have traced the problem by capturing packets. Here is the output from the openssl test command
24651:error:1408D13A:SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters:s3_clnt.c:1342:
In the network dumps, it is shown that the cipher TLS_ECDE_RSA_WITH AES_256_CBC_SHA is proposed. The DC accepts the apache client hello handshake and informs it that the above cipher will be used for future communications and provides a specific curve. Then the apache client sends a fatal alert (Internal error).
One other important thing to note, is that by this far, on the place of the W2016 was an old W2008 server used for this connection, and everything worked fine with it.
What is the best way to resolve this and how?
- By configuring the apache to not use the cipher
- By configuring the Windows DC to not use the cipher
- By updating the openssl on the Linux server
- By disabling the cipher in the openssl configuration
Here is the apache configuration
Edit: After some tests, it appears that the remote DC does not have problems with 3DES, RSA and RC4 ciphers, I am thinking to set this rule to apache -
What do you think?
Thanks in advance for the answers and for your time and attention.