Go to main content
Oracle® Solaris 11.3 Release Notes

Exit Print View

Updated: July 2017
 
 

Security Issues

This section describes issues with the security software in the Oracle Solaris 11.3 release.

ssh and sshd Enable OpenSSL pkcs11 Engine by Default on T4, T4+ Platforms (18762585)

Starting with Oracle Solaris 11.2, T4 instructions and Intel hardware acceleration are embedded in the OpenSSL internal crypto implementation for non-FIPS-140 OpenSSL. This change affects the performance of ssh and sshd because these services use the OpenSSL pkcs11 engine by default on T4 systems and later versions.

Workaround: To obtain maximum performance, disable the OpenSSL pkcs11 engine.

Perform the following steps to disable the pkcs11 engine for ssh and sshd services:

  1. Add the following line to the /etc/ssh/ssh_config and /etc/ssh/sshd_config files:

    UseOpenSSLEngine no
  2. Restart the ssh service.

    # svcadm restart ssh

Note -  This issue is applicable only for the OpenSSL non-FIPS-140 module. For information about the OpenSSL FIPS-140 module, see Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3.

ktkt_warn Service Is Disabled by Default (15774352)

The ktkt_warn service, used to renew a user's Kerberos credentials and warn about credential expiry, is now disabled by default. The following error message is displayed:

kinit:  no ktkt_warnd warning possible

Workaround: Choose one of the following workarounds to enable the service:

  • If the system already has Kerberos configured, use the svcadm command to enable the service.

    # svcadm enable ktkt_warn
  • If Kerberos has not been configured, run the kclient utility to configure Kerberos, which will also enable the ktkt_warn service.

    For more information about the kclient utility, see the kclient(1M) man page.

The door_ucred System Call Does Not Work Properly on Branded Zones (20425782)

The kernel-level cryptographic framework daemon, kcfd, can crash in branded zones that are running Oracle Solaris 10. The crash occurs when an application makes a call to the kcfd daemon by a user who is a member of 16 or more UNIX groups.

This failure of the kcfd daemon might also lead to switching of the svc:/system/cryptosvc:default service to maintenance mode, which in turn causes the libpkcs11 library to stop working. For information, see the libpkcs11(3LIB) man page.

The crash also results in applications or commands such as ssh and Java being unable to use SPARC hardware acceleration of cryptographic operations and could cause other applications or commands such as encrypt and decrypt to fail completely.


Note -  This issue potentially affects all the services that call the door_ucred system call, such as nscd(1M), zoneadm(1M), svc.configd(1M), ldap_cachemgr(1M), hotplugd(1M), iscsitgtd(1M), picld(1M), labeld(1M), and in.iked(1M).

Workaround: To prevent crashing, increase the maximum number of groups per user in the global zone so that it exceeds the number of groups that a user can be assigned. For example, if a user can be assigned to 31 groups, you would add the following line to the /etc/system file in the global zone:

set ngroups_max = 32

The maximum value that can be assigned to ngroups_max is 1024.

OpenLDAP Package Update Issue (21577683)

If you have made manual modifications to the LDAP configuration files /etc/openldap/ldap.conf and /etc/openldap/slapd.conf, the security settings for the TLS cipher suite might be incorrect.

Workaround: If you maintain your own LDAP configuration files, make the following modifications to maintain a secure system:

  • In the /etc/openldap/ldap.conf file, set the TLS_PROTOCOL_MIN and TLS_CIPHER_SUITE values as follows:

    TLS_PROTOCOL_MIN   3.2
    TLS_CIPHER_SUITE   TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
  • In the /etc/openldap/slapd.conf, set the TLSProtocolMin and TLSCipherSuite values as follows:

    TLSProtocolMin  770
    TLSCipherSuite  TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA