Encryption Management Server key lookups fail over LDAPS

book

Article ID: 212307

calendar_today

Updated On:

Products

Encryption Management Server Encryption Management Server Powered by PGP Technology Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

Encryption Management Server can lookup keys on remote key servers using LDAP or LDAPS.

Encryption Management Server fails to connect over LDAPS to remote Encryption Management Servers.

The Mail log contains an error like this where keys.example.com is the LDAPS server and [email protected] is the email address of the recipient:

Looking for key(s) on LDAPS PGP keyserver keys.example.com:636
key search <[email protected]> [keys.example.com]: Could not get recipient encryption key: server open failed

Cause

When Encryption Management Server receives an LDAPS connection, it issues a Certificate Request.

In order to comply with section 7.4.6 of RFC 5246, the Encryption Management Server that is making the LDAPS connection should respond to the Certificate Request by sending either its server certificate or a zero length certificate.

Instead, the Encryption Management Server that is making the LDAPS connection responds with the certificate chain of its server certificate (the intermediate certificate(s) and the root certificate). This does not comply with section 7.4.6 of RFC 5246 and therefore the TLS connection fails.

The following tcpdump capture shows the remote Encryption Management Server issuing a Certificate Request and the connecting Encryption Management Server responding incorrectly with its certificate chain:

Environment

Symantec Encryption Management Server 3.4.2 MP2, 3.4.2 MP3, 3.4.2 MP4, 3.4.2 MP5, 10.5 and 10.5 MP1.

Resolution

Upgrade to release 10.5 MP2.

If you cannot upgrade, there are several ways to workaround this issue:

  1. Use a self-signed certificate on the Encryption Management Server that makes the LDAPS connection.
  2. Delete the certificate chain of a certificate that is not self-signed on the Encryption Management Server that makes the LDAPS connection.
  3. Modify the stunnel configuration of the Encryption Management Server Keyserver.

The only way to workaround this issue is for the connecting Encryption Management Server to connect to the LDAPS key server using a server certificate that has no certificate chain.

1. Use a self-signed certificate

To create a self-signed certificate do the following:

  1. In the administration console, navigate to System / Network and click on the Certificates button.
  2. Click on the Add Certificate button.
  3. In the Hostname field, enter the CN (Common Name) of the certificate. For example, keys.example.com.
  4. From the Key Size dropdown list, select 2048.
  5. Optionally, from the Expiration dropdown list, select a number of years other than the default of 1 year.
  6. Leave the Contact Email field empty.
  7. Optionally, complete some or all of the remaining fields.
  8. Click the Generate Self-Signed button to generate the self-signed certificate.
  9. Navigate to System / Network.
  10. Select the Interface that connects to the LDAPS server.
  11. Assign the self-signed certificate to the interface by selecting it from the Assigned Certificate dropdown list.
  12. Click the Save  button.

2. Delete the certificate chain of a certificate that is not self-signed

A certificate issued either by an internal or external Certificate Authority can be effectively made into a self-signed certificate by deleting the certificates in its certificate chain:

  1. In the administration console, navigate to Keys / Trusted Keys.
  2. Search for the certificate's root certificate.
  3. Click on the Delete button to delete it.
  4. Delete all the Intermediate certificates in the same way.

3. Modify the stunnel configuration of the Encryption Management Server Keyserver

The administrator of the Encryption Management Server that is running the Keyserver service can modify the stunnel configuration to accept LDAPS connections without issuing a Certificate Request.

The administrator will need to ssh to Encryption Management Server and issue these commands to modify the stunnel configuration and restart the stunnel service:

sed -i '0,/verify = 1/s//# verify = 1/' /etc/stunnel/stunnel.conf
service stunnel restart

Note that the stunnel configuration is managed by Encryption Management Server so the above two commands may need to be issued again if LDAPS clients cannot connect.

Additional Information

EPG-23362

Attachments