ldapsearch & openssl 0.9.8e vs SHA256 signatures

Issues related to software problems.
Post Reply
cyki
Posts: 2
Joined: 2017/03/18 13:28:00

ldapsearch & openssl 0.9.8e vs SHA256 signatures

Post by cyki » 2017/03/18 13:55:09

Hello,

I found many articles about issue with validation of SHA256 signatures, usually it was advised to patch openssl to version 0.9.8o to have full support of SHA256 but I have two servers with exactly the same openssl version, one is working and one not.

sever1
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
$ cat /proc/version
Linux version 2.6.18-164.11.1.el5 (mockbuild@builder16.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) #1 SMP Wed Jan 20 07:39:04 EST 2010

server2
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
$ cat /proc/version
Linux version 2.6.18-419.el5 (mockbuild@x86-027.build.eng.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-55)) #1 SMP Wed Feb 22 22:40:57 EST 2017


I am testing LDAP server with ldapsearch command and server2 can respond to query but server1 is giving:

TLS certificate verification: Error, certificate signature failure
TLS: can't connect.
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
ldap_bind: Can't contact LDAP server (-1)
additional info: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm

From the output looks like he cannot validate SHA256 signature but I wonder if server2 has the same openssl why server1 does not support it.
Although these servers are supposed to be connected to different environments, both LDAP servers have certificate signed with SHA256WithRSASignature.

Could someone help with openssl troubleshooting or explain the difference?

Thank you

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: ldapsearch & openssl 0.9.8e vs SHA256 signatures

Post by avij » 2017/03/18 15:01:02

Instead of comparing openssl version output, please compare the outputs of rpm -q openssl.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ldapsearch & openssl 0.9.8e vs SHA256 signatures

Post by TrevorH » 2017/03/18 17:20:03

According to your uname -a output from server1 it is 7 *years* out of date. Run yum update to get to 5.11.

CentOS 5 dies in less than 2 weeks so you might want to concentrate on migrating to something supported instead of trying to fix something that will be dead soon.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

cyki
Posts: 2
Joined: 2017/03/18 13:28:00

Re: ldapsearch & openssl 0.9.8e vs SHA256 signatures

Post by cyki » 2017/03/22 12:57:37

TrevorH wrote:According to your uname -a output from server1 it is 7 *years* out of date. Run yum update to get to 5.11.
CentOS 5 dies in less than 2 weeks so you might want to concentrate on migrating to something supported instead of trying to fix something that will be dead soon.
Yep I know but I cannot change anything without having a good argument as the server is currently "stable".
avij wrote:Instead of comparing openssl version output, please compare the outputs of rpm -q openssl.
Thank you avij, this helped.. now I see the difference but normally I would expect that any change in SSL will also change version of the openssl. I only somehow cannot find change log for these RPMs, does RedHat/CentOS provide it?

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: ldapsearch & openssl 0.9.8e vs SHA256 signatures

Post by stevemowbray » 2017/03/22 14:22:26

rpm -q --changelog openssl

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ldapsearch & openssl 0.9.8e vs SHA256 signatures

Post by TrevorH » 2017/03/22 16:09:32

Yep I know but I cannot change anything without having a good argument as the server is currently "stable".
Here's one. There are approximately 7 years since the release of CentOS 5.4 that you are currently running. If you look at http://rhn.redhat.com/errata/rhel-server-errata.html which lists all the bug fixes - security and otherwise - you have to go 77 *pages* through that list to get to the kernel announcement for the one you are running. At 25 entries per page that's 1925 advisories that you do not have. If I restrict that list to "Security" advisories only then you're on page 25 (showing bugs 601 - 625 of 956 entries). If I enter the word "Critical" in the search box then that's "just" 90 entries.

Are you happy having a system that has 90 critical security vulnerabilities on it? Some of those will allow unauthenticated remote privilege escalation.

That doesn't take account of the less severe bugs that have been fixed, some of which may have security implications, others may just fix bugs.

In 9 days time there will be no more security fixes at all for CentOS 5 so the first remotely exploitable vulnerability that comes along in the packages that you have installed will leave you hanging out with no cover, no way to patch and a massive migration to a supported release that needs to be done, not just at your leisure but right now, before tomorrow morning!
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply