• 8

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Non supported SSL cipher, how to disable it?

I have a linux system with a a version of OpenSSL 0.9.8j-fips 07 Jan 2009 and an Apache Server version: Apache/2.4.27 (Unix)

The Apache has issues connecting via secure LDAPS to a remote DC Windows 2016 server.

I have traced the problem by capturing packets. Here is the output from the openssl test command 24651:error:1408D13A:SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters:s3_clnt.c:1342:

In the network dumps, it is shown that the cipher TLS_ECDE_RSA_WITH AES_256_CBC_SHA is proposed. The DC accepts the apache client hello handshake and informs it that the above cipher will be used for future communications and provides a specific curve. Then the apache client sends a fatal alert (Internal error).

One other important thing to note, is that by this far, on the place of the W2016 was an old W2008 server used for this connection, and everything worked fine with it.

What is the best way to resolve this and how?

  • By configuring the apache to not use the cipher
  • By configuring the Windows DC to not use the cipher
  • By updating the openssl on the Linux server
  • By disabling the cipher in the openssl configuration

Here is the apache configuration SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

Edit: After some tests, it appears that the remote DC does not have problems with 3DES, RSA and RC4 ciphers, I am thinking to set this rule to apache -

SSLCipherSuite AES128-SHA:HIGH:MEDIUM:!MD5:!RC4:!3DES:!ECDH SSLProxyCipherSuite AES128-SHA:HIGH:MEDIUM:!MD5:!RC4:!3DES:!ECDH What do you think?

Thanks in advance for the answers and for your time and attention.

    • Is the Linux RedHat family (including CentOS, Scientific, etc) especially an old version? If so its OpenSSL (and other crypto packages also) implements either no ECC or only a few curves (IIRC P-256 P-384 P-521). Normally it should express this limitation in ClientHello in 'supportedcurves' extension 000a (nowadays renamed 'supportedgroups'), but 0.9.8 might still be using the 'SSL2/SSL3-compatible-then-upgrade' format which prevents this -- your network dumps should show this, and which curve the server chose in ServerKeyExchange.
    • You are correct. I now saw that the client (apache) presents 37 ciphers to the server. The server choose one of the ECDH types and it failed within the client. I just tested all 37 ciphers provided by openssl -v ciphers list and only 3 succeeded. I will now do some tests with this new configuration, based on the successful ciphers: SSLCipherSuite DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!MD5:!RC4:!3DES:!ECDH SSLProxyCipherSuite DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!MD5:!RC4:!3DES:!ECDH

I don't think that SSLCipherSuite / SSLProxyCipherSuite affects how Apache talks to the LDAP server, instead it's a setting for mod_ssl describing what ciphers to offer to HTTPS clients. That's unrelated setting.

I'm afraid you will have to set the list of supported ciphers on the Windows LDAP server to something less strict that's still supported by your Apache host. You may have to enable RC4 ciphers, or something like that.

Essentially you'll need to find a setting that's mutually acceptable by both the Windows and the Apache, even if some config changes are needed.

Or indeed upgrade the Linux server - from the OpenSSL version I'm guessing it will be some old CentOS 5 or something similarly ancient, probably full of security issues too.

  • 0
Reply Report
      • 2
    • SSLCipherSuite controls what it accepts from HTTPS clients, and SSLProxyCipherSuite what it offers to (backend) HTTPS servers -- but yes neither of them LDAPS.
    • The apache has LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so And for the LDAP authentication LDAPTrustedGlobalCert is used along with the pem. I have done many tests, and indeed the openssl version is very, very old. From tens of ciphers, I have managed to successfully use only 3, one of which is not recommended due to security reasons. I am starting to think that it would be better to update the openssl to the latest version.

Trending Tags