Encryption Management Server can lookup keys on remote key servers using LDAP or LDAPS.
Encryption Management Server fails to connect over LDAPS to remote Encryption Management Servers.
The Mail log contains an error like this where keys.example.com is the LDAPS server and [email protected] is the email address of the recipient:
Looking for key(s) on LDAPS PGP keyserver keys.example.com:636
key search <[email protected]> [keys.example.com]: Could not get recipient encryption key: server open failed
When Encryption Management Server receives an LDAPS connection, it issues a Certificate Request.
In order to comply with section 7.4.6 of RFC 5246, the Encryption Management Server that is making the LDAPS connection should respond to the Certificate Request by sending either its server certificate or a zero length certificate.
Instead, the Encryption Management Server that is making the LDAPS connection responds with the certificate chain of its server certificate (the intermediate certificate(s) and the root certificate). This does not comply with section 7.4.6 of RFC 5246 and therefore the TLS connection fails.
The following tcpdump capture shows the remote Encryption Management Server issuing a Certificate Request and the connecting Encryption Management Server responding incorrectly with its certificate chain:
Symantec Encryption Management Server 3.4.2 MP2, 3.4.2 MP3, 3.4.2 MP4, 3.4.2 MP5, 10.5 and 10.5 MP1.
Upgrade to release 10.5 MP2.
If you cannot upgrade, there are several ways to workaround this issue:
The only way to workaround this issue is for the connecting Encryption Management Server to connect to the LDAPS key server using a server certificate that has no certificate chain.
To create a self-signed certificate do the following:
A certificate issued either by an internal or external Certificate Authority can be effectively made into a self-signed certificate by deleting the certificates in its certificate chain:
The administrator of the Encryption Management Server that is running the Keyserver service can modify the stunnel configuration to accept LDAPS connections without issuing a Certificate Request.
The administrator will need to ssh to Encryption Management Server and issue these commands to modify the stunnel configuration and restart the stunnel service:
sed -i '0,/verify = 1/s//# verify = 1/' /etc/stunnel/stunnel.conf
service stunnel restart
Note that the stunnel configuration is managed by Encryption Management Server so the above two commands may need to be issued again if LDAPS clients cannot connect.