On Thu, Jan 28, 2016 at 11:02 AM, William Brown <wibrown(a)redhat.com> wrote:
>
> with "export NSS_DISABLE_HW_GCM=1", there are no crashes, with and
> without the cipher option. Moreover, with the cipher option it says:
>
> CONNECTED(00000003)
> 139960478934944:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:744:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 119 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
>
>
> With "export NSS_DISABLE_HW_AES=1" there are no crashes.
>
I'm suspicious here. You should be seeing a peer certificate, but you
aren't. With the first set of output you showed, it looked like a cert
was sent to you.
Can you show us your cn=encryption,cn=config from dse.ldif?
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
Hello,
the certificate is there (in the "-----BEGIN CERTIFICATE-----")
section, I just edited it. Here is the certificate without some
internal information like the DN:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=domain, DC=priv, CN=CA cert
Validity
Not Before: Dec 10 08:06:08 2012 GMT
Not After : Dec 10 08:06:08 2022 GMT
Subject: CN=ds2.domain.priv
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d1:48:d7:28:98:d1:d8:97:d2:93:03:3c:fe:3c:
01:bc:c2:ca:01:45:8e:8b:30:22:75:df:ad:5c:6f:
ad:ac:ae:dd:38:7f:71:26:48:36:0d:1c:2e:21:15:
d6:9a:28:2e:fa:cc:8d:30:14:6c:7a:5f:99:0c:97:
f9:94:02:a5:a9:e6:97:30:31:b4:af:eb:85:b1:9c:
d9:fe:01:cb:bd:ee:8e:70:03:90:38:e9:d6:75:70:
92:ed:ce:11:60:7c:70:c2:a6:6e:36:e6:10:70:73:
5a:a4:74:e3:95:10:d5:a0:bb:93:8a:b8:f9:ea:3f:
31:a7:83:e6:09:05:ec:22:17
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
28:5f:e8:ae:88:2a:38:63:27:53:14:f3:0d:46:64:aa:eb:f6:
76:66:c9:98:d7:9e:10:28:73:84:d9:a1:d3:36:f0:8e:a2:e5:
50:20:d1:6a:8d:25:45:b4:9b:56:2b:77:7f:90:bf:b1:fc:fa:
4c:41:2e:fc:de:3a:71:79:01:5e:68:d1:1b:60:43:6f:62:b8:
03:ab:ef:ba:c8:7a:76:da:f2:2a:be:6b:d3:fe:b2:95:a2:1a:
7a:04:36:97:04:84:11:1f:a9:94:ce:b7:2c:b3:c6:e7:57:41:
e0:a2:f9:f5:f5:bf:5f:bf:ee:00:d9:4a:ee:39:33:d0:5d:9c:
6e:a2
Here is the lse.ldif part:
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: on
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
t
createTimestamp: 20130208233846Z
modifyTimestamp: 20130215092729Z
nsSSL3Ciphers: -rsa_null_sha,+rsa_rc4_128_md5,+rsa_3des_sha,+fortezza_null,-rs
a_null_md5,+rsa_fips_des_sha,+fortezza,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_d
es_sha,+fortezza_rc4_128_sha,+rsa_fips_3des_sha,+tls_rsa_export1024_with_rc4_
56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_aes
_256_sha
nsKeyfile: alias/slapd-ds2-key3.db
nsCertfile: alias/slapd-ds2-cert8.db
numSubordinates: 1
I have tried
openssl s_client -connect ldap:636 -tls1_2 - it crashes the server
-tls1 / -tls1_1 is OK
Thanks