Score:0

Enforce TLS1.2 in sssd client

cm flag

In one of our environments Linux servers are set up with sssd / OpenLDAP for OS login. To support older servers our OpenLDAP server has to support TLSv1.0 and TLSv1.1 still.

RedHat 8 does no longer support TLS levels below TLSv1.2, and thus the standardized /etc/sssd/sssd.conf failed to connect to the LDAP server.

Error message:

sssd_be[1236697]: Could not start TLS encryption. error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

It seems(?) that the ldap protcol - or the server - prefers the weaker TLS protocols first, and thus connecting from RHEL8 fails.

Of course the LDAP server has to remove support for older protocols, but how can the client side be forced to use TLSv1.2.

in flag
Instead of circumventing security measures you should update your outdated servers.
cm flag
I could not agree more, but the goal here was to highlight how to fix this clientside. One of the problems was that even RedHat "adviced" to allow "legacy" protocols on the RHEL8 "clients", so this posting was made to highlight that you can force TLSv1.2 for clients while one waits for the server side to get up to speed. In this case they have to support other legacy clients, which happens in larger shops.
Score:0
cm flag

There does not seem to be a configuration option for sssd specifically for the TLS protocol level, but you can add it to the cipher suite configuration as such.

# /etc/sssd/sssd.conf
<snip>
ldap_tls_cipher_suite = TLSv1.2!EXPORT:!NULL
<snip>

Restarting sssd RHEL8 was now able to connect to the LDAP-server and users able to login.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.