Re: CVE request: openldap does not honor TLSCipherSuite configuration option

[Henri Salo <henri () nerv fi>]

On Tue, Jun 05, 2012 at 03:54:02PM -0600, Vincent Danen wrote:
> Could a CVE be assigned to this issue?
>
> It was reported that OpenLDAP, when using the Mozilla NSS backend, would
> ignore any TLSCipherSuite configuration settings.  When the
> TLSCipherSuite setting is configured, OpenLDAP would use the default
> cipher suite, ignoring the setting.
>
> While the default cipher suite contains some weak ciphers (e.g.
> MD5-based), it is still not easy to break the encryption to obtain
> sensitive information.  However, if an administrator wishes to enforce
> the use of stronger ciphers by overriding the defaults using
> TLSCipherSuite, they should be able to trust that, when the
> configuration items is in place, the stronger ciphers are used.  Due to
> this flaw, that is not the case.
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=825875
> http://www.openldap.org/its/index.cgi?findid=7285
> http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2c2bb2e
>
>
> Thanks.
>
> -- 
> Vincent Danen / Red Hat Security Response Team

Reported to Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676309

- Henri Salo