This section describes issues with the security software in the Oracle Solaris 11.3 release.
Starting with Oracle Solaris 11.2, T4 instructions and Intel hardware acceleration are embedded in the OpenSSL internal crypto implementation for non-FIPS-140 OpenSSL. This change affects the performance of ssh and sshd because these services use the OpenSSL pkcs11 engine by default on T4 systems and later versions.
Workaround: To obtain maximum performance, disable the OpenSSL pkcs11 engine.
Perform the following steps to disable the pkcs11 engine for ssh and sshd services:
Add the following line to the /etc/ssh/ssh_config and /etc/ssh/sshd_config files:
Restart the ssh service.
# svcadm restart ssh
The ktkt_warn service, used to renew a user's Kerberos credentials and warn about credential expiry, is now disabled by default. The following error message is displayed:
kinit: no ktkt_warnd warning possible
Workaround: Choose one of the following workarounds to enable the service:
If the system already has Kerberos configured, use the svcadm command to enable the service.
# svcadm enable ktkt_warn
If Kerberos has not been configured, run the kclient utility to configure Kerberos, which will also enable the ktkt_warn service.
For more information about the kclient utility, see the kclient(1M) man page.
The kernel-level cryptographic framework daemon, kcfd, can crash in branded zones that are running Oracle Solaris 10. The crash occurs when an application makes a call to the kcfd daemon by a user who is a member of 16 or more UNIX groups.
This failure of the kcfd daemon might also lead to switching of the svc:/system/cryptosvc:default service to maintenance mode, which in turn causes the libpkcs11 library to stop working. For information, see the libpkcs11(3LIB) man page.
The crash also results in applications or commands such as ssh and Java being unable to use SPARC hardware acceleration of cryptographic operations and could cause other applications or commands such as encrypt and decrypt to fail completely.
Workaround: To prevent crashing, increase the maximum number of groups per user in the global zone so that it exceeds the number of groups that a user can be assigned. For example, if a user can be assigned to 31 groups, you would add the following line to the /etc/system file in the global zone:
set ngroups_max = 32
The maximum value that can be assigned to ngroups_max is 1024.
If you have made manual modifications to the LDAP configuration files /etc/openldap/ldap.conf and /etc/openldap/slapd.conf, the security settings for the TLS cipher suite might be incorrect.
Workaround: If you maintain your own LDAP configuration files, make the following modifications to maintain a secure system:
In the /etc/openldap/ldap.conf file, set the TLS_PROTOCOL_MIN and TLS_CIPHER_SUITE values as follows:
TLS_PROTOCOL_MIN 3.2 TLS_CIPHER_SUITE TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
In the /etc/openldap/slapd.conf, set the TLSProtocolMin and TLSCipherSuite values as follows:
TLSProtocolMin 770 TLSCipherSuite TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA