[SERVER-49476] Disable ldap_authz_bind on Ubuntu 18.04 and 20.04 Created: 13/Jul/20  Updated: 29/Oct/23  Resolved: 20/Jul/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.4.1, 4.7.0

Type: Bug Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.4
Sprint: Security 2020-07-27
Participants:
Linked BF Score: 129

 Description   

Ubunutu 20.04 machines cannot talk to the ldaptest machine since Ubuntu 20.04 disables TLS 1.0 and 1.1

Ubuntu 18.04 does not support SHA-1 signed certificates which the ldaptest server uses.



 Comments   
Comment by Githook User [ 04/Aug/20 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-49476 Disable ldap_authz_bind TLS test on Ubuntu

(cherry picked from commit 8c3a205a5d31502f663432732a36731f8373fe9a)
Branch: v4.4
https://github.com/10gen/mongo-enterprise-modules/commit/7cec8f6f805d0c7f84173cadc1344b7243a2291a

Comment by Githook User [ 17/Jul/20 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-49476 Disable ldap_authz_bind TLS test on Ubuntu
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/8c3a205a5d31502f663432732a36731f8373fe9a

Comment by Mark Benvenuto [ 14/Jul/20 ]

On Ubuntu 18.04+, openldap is compiled against gnutls. GnuTLS does not support SHA-1 signed certificates.

gnutls-cli --x509cafile=src/mongo/db/modules/enterprise/jstests/external_auth/assets/ldaptest-ca.pem  ldaptest.10gen.cc:636
Processed 1 CA certificate(s).
Resolving 'ldaptest.10gen.cc:636'...
Connecting to '54.225.237.121:636'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `C=US,ST=New York,L=New York City,O=MongoDB,OU=Build,CN=ldaptest.10gen.cc', issuer `C=US,ST=New York,L=New York City,O=MongoDB,OU=Build,CN=LDAPTest CA', serial 0x055399, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated `2016-06-20 21:16:02 UTC', expires `2036-06-20 21:16:02 UTC', pin-sha256="btws/eCepZPK1PSF4UOE0J82/Zk+8TwzgVhq2vLf3mI="
        Public Key ID:
                sha1:7edae974c3f2d855a7a5e3176f39ee96bb394563
                sha256:6edc2cfde09ea593cad4f485e14384d09f36fd993ef13c3381586adaf2dfde62
        Public Key PIN:
                pin-sha256:btws/eCepZPK1PSF4UOE0J82/Zk+8TwzgVhq2vLf3mI=
        Public key's random art:
                +--[ RSA 2048]----+
                |                 |
                |                 |
                |                 |
                |               E.|
                |        S     ..=|
                |       .   .   *o|
                |        . + + = *|
                |         = B + B=|
                |        ..= o =O=|
                +-----------------+
 
- Certificate[1] info:
 - subject `C=US,ST=New York,L=New York City,O=MongoDB,OU=Build,CN=LDAPTest CA', issuer `C=US,ST=New York,L=New York City,O=MongoDB,OU=Build,CN=LDAPTest CA', serial 0x059253, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated `2016-05-23 20:43:21 UTC', expires `2036-05-23 20:43:21 UTC', pin-sha256="u2FW29lnxVTbpVmTn/tp/hYOhIme6AMcKC+WbiRyVZ8="
- Status: The certificate is NOT trusted. The certificate chain uses insecure algorithm.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.

From the libgnutls30 change log:

gnutls28 (3.5.18-1ubuntu1.2) bionic-security; urgency=medium
 
  * SECURITY UPDATE: Mark SHA1 as insecure for certificate signing
    - debian/patches/insecuresha1-*.patch: backport upstream patches to
      allow marking SHA1 as insecure, but only for certificate signing.
    - debian/libgnutls30.symbols: added new symbol.
 
 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 08 Jan 2020 10:39:00 -0500

Generated at Thu Feb 08 05:19:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.