0

In one of our environments Linux servers are set up with sssd / OpenLDAP for OS login. To support older servers our OpenLDAP server has to support TLSv1.0 and TLSv1.1 still.

RedHat 8 does no longer support TLS levels below TLSv1.2, and thus the standardized /etc/sssd/sssd.conf failed to connect to the LDAP server.

Error message:

sssd_be[1236697]: Could not start TLS encryption. error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

It seems(?) that the ldap protcol - or the server - prefers the weaker TLS protocols first, and thus connecting from RHEL8 fails.

Of course the LDAP server has to remove support for older protocols, but how can the client side be forced to use TLSv1.2.

sastorsl
  • 362
  • 2
  • 13
  • Instead of circumventing security measures you should update your outdated servers. – Gerald Schneider Jan 31 '22 at 15:07
  • I could not agree more, but the goal here was to highlight how to fix this clientside. One of the problems was that even RedHat "adviced" to allow "legacy" protocols on the RHEL8 "clients", so this posting was made to highlight that you can force TLSv1.2 for clients while one waits for the server side to get up to speed. In this case they have to support other legacy clients, which happens in larger shops. – sastorsl Feb 01 '22 at 07:57

1 Answers1

0

There does not seem to be a configuration option for sssd specifically for the TLS protocol level, but you can add it to the cipher suite configuration as such.

# /etc/sssd/sssd.conf
<snip>
ldap_tls_cipher_suite = TLSv1.2!EXPORT:!NULL
<snip>

Restarting sssd RHEL8 was now able to connect to the LDAP-server and users able to login.

sastorsl
  • 362
  • 2
  • 13