harbor icon indicating copy to clipboard operation
harbor copied to clipboard

Published 20 hours ago verified publisher icon goharbor

how to configure harbor ldap client to use tls1.2 strong ciphers

Open wu105 opened this issue 2 years ago • 4 comments

This is a repeat of #17484 that I could not reopen directly.

The issue is a tls version issue, not a certificate issue -- we never selected the "LDAP Verify Certificate" option for other reasons. The harbor core container logged the following if that helps:

2022-08-31T13:33:37Z [ERROR] [/server/error/error.go:53]: {"errors":[{"code":"INTERNAL_SERVER_ERROR","message":"LDAP connect fail, error: LDAP Result Code 200 \"\": EOF"}]} 
/harbor/src/core/api/ldap.go:103, github.com/goharbor/harbor/src/core/api.(*LdapAPI).Ping
2022/08/31 13:33:37.664 [D] [transaction.go:62]  |     10.244.3.1| 500 |   9.150339ms|   match| POST     /api/v2.0/ldap/ping   r:/api/v2.0/ldap/ping

As a workaround, we temporarily canceled the security patch on the ldapserver that enforce TLS1.2 or above. There is no certificate change related to the security patch. Our harbor installation runs Version v2.0.2-e91b4ff1.

Many thanks,

Peng

wu105 avatar Sep 05 '22 19:09 wu105

The error code 200 means ErrorNetwork, is there any connectivity issue between the LDAP server and harbor ? If you uncheck the "LDAP Verify Certificate" option, then it is not related to certificate.

stonezdj avatar Sep 06 '22 05:09 stonezdj

Hi Stonezdj,

Upon further review, the ldap server that works seems to offer tls1.2 only already, but the none of the ciphers are strong, see below. If the ldap client/server cannot agree on a cipher, a connection cannot be made, ErrorNetwork would be proper but not informative.

The recent security patch must have removed all the weak ciphers, apparently the harbor's ldap client could not use any of the strong ciphers offered. I will update this issue with the strong ciphers once I have the information.

Meanwhile, do we know what ciphers the harbor v2.0.2-e91b4ff1 ldap client supports?
Does ldap client of newer harbor versions support a different cipher set?

Thanks,

Peng

 Testing protocols via sockets except NPN+ALPN of the ldap servers that harbor v2.0.2-e91b4ff1 can work with

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Testing cipher categories of the ldap servers that harbor v2.0.2-e91b4ff1 can work with:

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     not offered (OK)
 Average: SEED + 128+256 Bit CBC ciphers       offered
 Strong encryption (AEAD ciphers)              not offered

"Weak" Cipher set offered by the ldap server that can work with harbor:
Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 x67     DHE-RSA-AES128-SHA256             DH 1024    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                
 x33     DHE-RSA-AES128-SHA                DH 1024    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256                    
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA

wu105 avatar Sep 06 '22 19:09 wu105

Our ldap server would offer the following ciphers to comply with the latest security requirement (no 1024bit ciphers):

TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

With the above, our harbor v2.0.2-e91b4ff1 would have connection issues with the ldap server, until the following ciphers were added back to the ldap server as a work around:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256

wu105 avatar Sep 09 '22 14:09 wu105

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Nov 18 '22 09:11 github-actions[bot]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

github-actions[bot] avatar Dec 19 '22 09:12 github-actions[bot]