Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

9. Chef Server >= 12.19.26 breaks LDAP compatibility with Microsoft IIS #1642

Closed
glasschef opened this issue Mar 13, 2019 · 5 comments
Closed

9. Chef Server >= 12.19.26 breaks LDAP compatibility with Microsoft IIS #1642

glasschef opened this issue Mar 13, 2019 · 5 comments
Labels
Component: ldap Triage: Confirmed Indicates and issue has been confirmed as described. Type: Bug Does not work as expected.

Comments

@glasschef
Copy link
Contributor

Chef Server Version

12.19.26, 12.19.31

Platform Details

RHEL 7.6

Configuration

Standalone, standard ldap configuration (ssl_enabled is true)

Scenario:

AD/LDAP integration fails when connecting to Microsoft IIS due to missing signature_algorithm extensions in the HELLO section of a TLS 1.2 handshake. Per spec, the server should respond with some sort of negotiation, but this specific server simply drops the connection. Relevant details here:

http://erlang.org/pipermail/erlang-questions/2017-September/093310.html
https://bugs.erlang.org/browse/ERL-206

Steps to Reproduce:

  • Attempt to configure the Chef Server to use Microsoft AD server for login as documented here: https://docs.chef.io/server_ldap.html

  • Observe failure

  • Use tcpdump to capture SSL handshake, notice no signature_algorithm extensions

Expected Result:

Chef Server is compatible with Microsoft IIS Active Directory (accounting for slightly broken SSL implementation)

Actual Result:

Chef Server is incompatible with Microsoft IIS Active Directory due to missing signature_algorithm extension in SSL negotiation
@markan markan added Type: Bug Does not work as expected. Component: ldap labels Mar 14, 2019
markan added a commit that referenced this issue Apr 11, 2019
@markan
Test an older version of erlang for issue #1642
727a75f 
This is a WIP; just trying to narrow down some LDAP breakage issue.

Signed-off-by: Mark Anderson <mark@chef.io>
@markan
Copy link
Contributor

markan commented Apr 11, 2019

Nice detective work on this one. It looks like this issue is fixed in R20. We're very close to having all the dependencies in chef server updated to work with R20, so that would be my preferred fix.

While it looks like reverting to R18.3 would fix this, I'm kind of leery of that because of the CVEs fixed since 18.3, including CVE-2016-10253 and CVE-2017-100038. I don't think we're super vulnerable from those, as we don't really expose or use the features at risk, but still better to be up-to-date.

markan added a commit that referenced this issue Apr 12, 2019
@markan
Test an older version of erlang for issue #1642
809bb74 
This is a WIP; just trying to narrow down some LDAP breakage issue.

Signed-off-by: Mark Anderson <mark@chef.io>
@irvingpop irvingpop mentioned this issue Jul 23, 2019
Closed
@irvingpop
Copy link

hey @markan is this also an issue for Chef Server 13.0.17 ?

@PrajaktaPurohit PrajaktaPurohit added Status: Untriaged An issue that has yet to be triaged. Triage: Confirmed Indicates and issue has been confirmed as described. and removed Status: Untriaged An issue that has yet to be triaged. labels Aug 5, 2019
This was referenced Sep 19, 2019
Closed
Closed
@PrajaktaPurohit PrajaktaPurohit changed the title Chef Server >= 12.19.26 breaks LDAP compatibility with Microsoft IIS 9. Chef Server >= 12.19.26 breaks LDAP compatibility with Microsoft IIS Oct 3, 2019
@btm btm mentioned this issue Oct 3, 2019
Open
@PrajaktaPurohit PrajaktaPurohit mentioned this issue Oct 4, 2019
Closed
@btm
Copy link
Contributor

btm commented Oct 17, 2019

I think these internal tickets are related:
https://chefio.atlassian.net/browse/TRI-860
https://chefio.atlassian.net/browse/TRI-814

@PrajaktaPurohit
Copy link
Contributor

Chef Infra Server is updated to to use Erlang 20. This change will be available in stable with the next release of Chef Infra Server.

@btm
Copy link
Contributor

btm commented Dec 4, 2019

This is fixed in Chef Infra Server 13.1.13+ (stable) through the upgrade to Erlang 20 which includes the fix for https://bugs.erlang.org/browse/ERL-206.

@btm btm closed this as completed Dec 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: ldap Triage: Confirmed Indicates and issue has been confirmed as described. Type: Bug Does not work as expected.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@btm @markan @irvingpop @PrajaktaPurohit @glasschef