On Tue, Sep 17, 2019 at 5:54 PM Mark Reynolds <mreynolds(a)redhat.com> wrote:
On 9/17/19 10:48 AM, Mihai Carabas wrote:
> After investigating, it seems that no cypersuite is available in
> NSS3.44, from the ones I have:
>
> [17/Sep/2019:17:17:51.043017973 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite rsa_null_md5 is not available
> in NSS 3.44. Ignoring rsa_null_md5
> [17/Sep/2019:17:17:51.046184006 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite rsa_null_sha is not available
> in NSS 3.44. Ignoring rsa_null_sha
> [17/Sep/2019:17:17:51.049197624 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite rsa_rc4_128_md5 is not
> available in NSS 3.44. Ignoring rsa_rc4_128_md5
> [17/Sep/2019:17:17:51.052249745 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite rsa_rc4_40_md5 is not
> available in NSS 3.44. Ignoring rsa_rc4_40_md5
> [17/Sep/2019:17:17:51.055254561 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite rsa_rc2_40_md5 is not
> available in NSS 3.44. Ignoring rsa_rc2_40_md5
> [17/Sep/2019:17:17:51.058247777 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite rsa_des_sha is not available
> in NSS 3.44. Ignoring rsa_des_sha
> [17/Sep/2019:17:17:51.061275196 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite rsa_fips_des_sha is not
> available in NSS 3.44. Ignoring rsa_fips_des_sha
> [17/Sep/2019:17:17:51.064327017 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite rsa_3des_sha is not available
> in NSS 3.44. Ignoring rsa_3des_sha
> [17/Sep/2019:17:17:51.067376038 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite rsa_fips_3des_sha is not
> available in NSS 3.44. Ignoring rsa_fips_3des_sha
> [17/Sep/2019:17:17:51.070412458 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite fortezza is not available in
> NSS 3.44. Ignoring fortezza
> [17/Sep/2019:17:17:51.073432076 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite fortezza_rc4_128_sha is not
> available in NSS 3.44. Ignoring fortezza_rc4_128_sha
> [17/Sep/2019:17:17:51.076475196 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite fortezza_null is not
> available in NSS 3.44. Ignoring fortezza_null
> [17/Sep/2019:17:17:51.079531618 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite
> tls_rsa_export1024_with_rc4_56_sha is not available in NSS 3.44.
> Ignoring tls_rsa_export1024_with_rc4_56_sha
> [17/Sep/2019:17:17:51.082648346 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite
> tls_rsa_export1024_with_des_cbc_sha is not available in NSS 3.44.
> Ignoring tls_rsa_export1024_with_des_cbc_sha
> [17/Sep/2019:17:17:51.085715470 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite tls_rsa_aes_128_sha is not
> available in NSS 3.44. Ignoring tls_rsa_aes_128_sha
> [17/Sep/2019:17:17:51.088832198 +0300] - WARN - Security
> Initialization - SSL alert: Cipher suite tls_rsa_aes_256_sha is not
> available in NSS 3.44. Ignoring tls_rsa_aes_256_sha
> [17/Sep/2019:17:17:51.092772913 +0300] - WARN - Security
> Initialization - SSL alert: Failed to set SSL cipher preference
> information: No active cipher suite is available. (Netscape Portable
> Runtime error 0 - no error)
>
>
> What other cyphers should I add? Is there a recommandtion?
Use the NSS defaults by either removing "nsSSL3Ciphers" from
cn=encryption,cn=config, or setting it to "default". If you directly
edit dse.ldif then make sure the server is stopped first. If you use
ldapmodify then you need to restart the server for the change to take effect
Awesome. Thank you Mark!
> HTH,
> Mark
>
> >
> > On Tue, Sep 17, 2019 at 5:42 PM William Brown <wbrown(a)suse.de> wrote:
> >> Hey there,
> >>
> >> Can you send us the access log of the connection attempt, as well as the
command line options you used to make the connection?
> >>
> >> Thanks!
> >>
> >>> On 17 Sep 2019, at 16:40, Mihai Carabas <mihai.carabas(a)gmail.com>
wrote:
> >>>
> >>> Hello,
> >>>
> >>> After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the
> >>> following issue on LDAPS:
> >>>
> >>> ldap_url_parse_ext(ldaps://ldap.curs.pub.ro)
> >>> ldap_create
> >>> ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base)
> >>> ldap_sasl_bind
> >>> ldap_send_initial_request
> >>> ldap_new_connection 1 1 0
> >>> ldap_int_open_connection
> >>> ldap_connect_to_host: TCP ldap.curs.pub.ro:636
> >>> ldap_new_socket: 3
> >>> ldap_prepare_socket: 3
> >>> ldap_connect_to_host: Trying 141.85.241.48:636
> >>> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> >>> attempting to connect:
> >>> connect success
> >>> TLS trace: SSL_connect:before SSL initialization
> >>> tls_write: want=303, written=303
> >>> 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08
....*...&..rq...
> >>> 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db
z_&i+..OYv....l.
> >>> 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH.
+.u.
> >>> 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43
.;.p>i..A.....RC
> >>> 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02
...w.........H..
> >>> 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad
.......,.0......
> >>> 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09
.+./...#.'......
> >>> 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35
...........=.<.5
> >>> 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67
./...........k.g
> >>> 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00
.9.3............
> >>> 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19
................
> >>> 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d
...#............
> >>> 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09
.0..............
> >>> 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01
................
> >>> 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02
................
> >>> 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00
...+............
> >>> 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c
-.....3.&.$... L
> >>> 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77
?.....T..o.....w
> >>> 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10
g,.Q...C.._....
> >>> TLS trace: SSL_connect:SSLv3/TLS write client hello
> >>> tls_read: want=5, got=5
> >>> 0000: 15 03 03 00 02 .....
> >>> tls_read: want=2, got=2
> >>> 0000: 02 50 .P
> >>> TLS trace: SSL3 alert read:fatal:internal error
> >>> TLS trace: SSL_connect:error in error
> >>> TLS: can't connect: error:14094438:SSL
routines:ssl3_read_bytes:tlsv1
> >>> alert internal error.
> >>> ldap_err2string
> >>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> >>>
> >>> All the things remained the same like before upgrading. I see tihs
> >>> internal error and I could not find any hints about it. Did someone
> >>> hit this issue?
> >>>
> >>> Thank you,
> >>> Mihai Carabas
> >>> _______________________________________________
> >>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> >>> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> >>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>> List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> >> —
> >> Sincerely,
> >>
> >> William Brown
> >>
> >> Senior Software Engineer, 389 Directory Server
> >> SUSE Labs
> >> _______________________________________________
> >> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> >> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> >> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> > _______________________________________________
> > 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
>
> --
>
> 389 Directory Server Development Team
>