CentOS 6.7 upgrade to CentOS 6.8 and TLS/SSL issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We had to update our server from CentOS 6.7 to CentOS 6.8 due to security compliance. When doing so however, it caused 389 to be unstable for TLS/SSL port 636. It would be up for a minute or two (and take connections), then fail with the following error when a server/script tried to connect. Non-TLS/SSL port 389 would work fine without any issues/errors. Before we patched, it would work without issues. Connection to port shows no issue with certificate. 


[26/Jan/2017:01:02:39 -0500] conn=97 fd=64 slot=64 SSL connection from X.X.X.X to X.X.X.X

[26/Jan/2017:01:02:39 -0500] conn=97 op=-1 fd=64 closed - Unspecified failure while processing SSL Client Key Exchange handshake.


From the client:


TLS: loaded CA certificate file /etc/pki/tls/certs/bundle.crt.

TLS: certificate [CN=XXXXXX.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated] is valid

TLS: error: tlsm_PR_Recv returned -1 - error 104:Connection reset by peer

TLS: error: connect - force handshake failure: errno 104 - moznss error -5961

TLS: can't connect: TLS error -5961:TCP connection reset by peer.

ldap_err2string

ldap_start_tls: Connect error (-11)

additional info: TLS error -5961:TCP connection reset by peer

ldap_sasl_bind


Normal Connection:


[26/Jan/2017:05:29:35 -0500] conn=904 fd=65 slot=65 SSL connection from X.X.X.X to X.X.X.X

[26/Jan/2017:05:29:35 -0500] conn=904 TLS1.2 256-bit AES


Current Version of 389 (389 was already updated and working well before the 6.8 upgrade):


389-adminutil-1.1.19-1.el6.x86_64

389-ds-base-libs-1.2.11.15-74.el6.x86_64

389-ds-console-doc-1.2.6-1.el6.noarch

389-admin-1.1.35-1.el6.x86_64

389-ds-console-1.2.6-1.el6.noarch

389-dsgw-1.1.11-1.el6.x86_64

389-ds-base-1.2.11.15-74.el6.x86_64

389-console-1.1.7-1.el6.noarch


NSS (some updated during the upgrade):


nss-3.21.0-8.el6.x86_64

nss-softokn-3.14.3-23.el6_7.x86_64

nss-softokn-freebl-3.14.3-23.el6_7.i686

nss-softokn-freebl-3.14.3-23.el6_7.x86_64

nss-sysinit-3.21.0-8.el6.x86_64

nss-tools-3.21.0-8.el6.x86_64

nss-util-3.21.0-2.el6.x86_64


Port is open:


tcp        0      0 :::636                      :::*                        LISTEN


Approx Strace:


getpeername(8, 0x7ffe450d5980, [112])   = -1 ENOTCONN (Transport endpoint is not connected)

poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}], 4, 250) = 1 ([{fd=8, revents=POLLIN}])

accept(8, {sa_family=AF_INET6, sin6_port=htons(52890), inet_pton(AF_INET6, "::ffff:X.X.X.X", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 36

fcntl(36, F_GETFL)                      = 0x2 (flags O_RDWR)

fcntl(36, F_SETFL, O_RDWR|O_NONBLOCK)   = 0

fcntl(36, F_DUPFD, 64)                  = 64

close(36)                               = 0

setsockopt(64, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0

setsockopt(64, SOL_TCP, TCP_NODELAY, [0], 4) = 0

getsockname(64, {sa_family=AF_INET6, sin6_port=htons(636), inet_pton(AF_INET6, "::ffff:X.X.X.X", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0

getpeername(8, 0x7ffe450d5980, [112])   = -1 ENOTCONN (Transport endpoint is not connected)

poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}, {fd=64, events=POLLIN}], 5, 250) = 1 ([{fd=64, revents=POLLIN}])

futex(0x16ee83c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x16ee838, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1

getpeername(8, 0x7ffe450d5980, [112])   = -1 ENOTCONN (Transport endpoint is not connected)

poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}], 4, 250) = 1 ([{fd=40, revents=POLLIN}])

read(40, "\0", 200)                     = 1

close(64)                               = 0

getpeername(8, 0x7ffe450d5980, [112])   = -1 ENOTCONN (Transport endpoint is not connected)

poll([{fd=40, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=-1}], 4, 250) = 0 (Timeout)



_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux