chef-server icon indicating copy to clipboard operation
chef-server copied to clipboard
verified publisher icon chef

Chef Server 12.15.8 secure LDAP does not function with kernel FIPS mode enabled

Open sean-horn opened this issue 8 years ago • 3 comments

Chef Server 12.15.8 secure LDAP does not function with kernel FIPS mode enabled.

Expected Behavior

For now, Chef Server should detect kernel FIPS mode enabled and refuse to function in the case where secure LDAP is also enabled in chef-server.rb.

Current Behavior

Currently, Chef Server's LDAP module is unable to communicate with a standard AD setup over an encrypted channel port 636 when the Chef Server has FIPS mode enabled in the linux kernel

Steps to Reproduce (for bugs)

  1. Install AD server with a working cert on port 636

  2. Enable FIPS mode in the kernel (from dmesg after startup)

    Kernel command line: ro root=/dev/mapper/rootvg-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=129M@48M rd_LVM_LV=rootvg/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rd_LVM_LV=rootvg/lv_swap rhgb quiet  boot=/dev/sda1 fips=1
fips mode: enabled

  3. Install Chef Server and Manage and reconfigure with LDAP support enabled, pointing at the AD server on port 636

  4. Attempt to login as a valid AD user through manage and the communication will fail in opscode-erchef's current or requests.log.X like

    [error] gen_*** <****> in state hello terminated with reason: call to undefined function 
crypto**:generate***key******/2 from ssl_connection:*******/3 line 1531

[error] CRASH REPORT Process <> with 0 neighbours exited with reason: call to undefined function 
crypto**:generate***key*****(dh, [<<*******.>>,...]) in *******:terminate/7 line 626

[error] Failed to connect to ldap host or an error occurred during connection setup. Please check 
chef-server.rb for correct host, port, and encryption values: "connect failed"

[error] Supervisor tls_connection_sup had child undefined started with 
{tls_connection,start_link,undefined} at <*******> exit with reason call to undefined function 
crypto**:generate***key(**, [<<*******,...>>,...]) in context child_terminated

[error] {<<"method=POST; path=******/authenticate_user; status=504; ">>,"Gateway Timeout"}

Your Environment

  • Chef Server Version:12.15.8
  • Manage version: Any supported with 12.15.8
  • Total/free RAM and disk space: N/A
  • Operating System and Version: Any Chef Server supported OS

sean-horn avatar Aug 04 '17 21:08 sean-horn

Thanks for the bug report. This is definitely a valid bug and is a consequence of how we implemented FIPs support at the Erlang level. The crypto module is missing those functions because we didn't implement them in our replacement crypto module.

Fixing this would likely require some combination of:

  1. Re-thinking how we support FIPs in erchef
  2. Re-implementing more functions in our erlang-crypto2 module: https://github.com/chef/erlang-crypto2
  3. Upgrade to OTP-20 and hoping that their use of the EVP api makes it a bit easier to do (1) or (2)

cc @jaym in case I'm missing something.

stevendanna avatar Nov 27 '17 10:11 stevendanna

yea, we never attempted to support ldap, which is why none of those functions made it into erlang-crypto2. Porting over more functions isn't horrible, but seing as OTP-20 now supports it, we should try to upgrade. If not, we have the OTP-20 crypto library to work from, so it should be faster this time.

jaym avatar Nov 27 '17 13:11 jaym

We will be using erlang 20 once https://github.com/chef/chef-server/pull/1802 is merged in.

  • Revisit this bug after that is merged.
  • Identify the crypto modules that will need to be ported.

PrajaktaPurohit avatar Nov 01 '19 19:11 PrajaktaPurohit