As you may know, Red Hat released Red Hat Enterprise Linux 6.4 last Thursday. I’m not going to rehash new features and updates as there are many tweets and articles already out. Instead I want to make you aware of an upstream behavioral change that could cause authentication and other issues. The credit for this goes to a customer and friend who called me after updating to RHEL 6.4 to fix a kernel problem they were hitting.
The problem surfaced for them as LDAP authentication issues with SSSD. Users couldn’t log into the systems and the admins found the following error in the logs:
sssd[be[LDAP]]: Could not start TLS encryption. TLS error-8016:The certificate was signed using a signature algorithm that is disabled because it is not secure.
Having not made any other changes to the LDAP system they started digging. Luckily for them some Googling and some savvy admins managed to walk the cat back to NSS using a Fedora 18 bugzilla report.
The upstream Mozilla NSS disabled support for MD5 hash signed certificates in the 3.14 release, which was added to RHEL 6.4. From the upstream documentation the following workaround is noted:
Support for MD5 may be manually enabled (but is discouraged) by setting the environment variable of “NSS_HASH_ALG_SUPPORT=+MD5” or by using the NSS_SetAlgorithmPolicy function.
The other solution would be to re-key the LDAP server which may potentially require more changes to the CA depending on how you originally built and signed your keys.
There are two ways to set the variable that have been reported to work. First, set the variable at boot by adding the following to the grub entry kernel line:
Second, create (or add to) nssh.sh in /etc/profile.d/ and export the variable there.
The folks who reported the problem to me are going with solution #2.
And so as not to take any credit for these, here’s the link to the Fedora Bugzilla report that talks about the solution. The information from the Red Hat docs on the upstream release update can be found in the Technical Notes and the Release Notes. The upstream project had set a date on supporting MD5 hashes based on earlier issues discovered with the hash algorithm.
If you are having difficulty getting a working configuration, use your Red Hat support contract and call the experts.