It looks like it just a client connection that is using AES GCM, it
hasn't got to process the ldap request yet. I think that the following
should work:
openssl s_client -connect LDAPHOSTNAME:636 -cipher ECDHE-RSA-AES256-
GCM-SHA384
Should be able to reproduce it. Else, you can wait patiently for the
crash to happen again.
Perhaps try unsetting the variables Noriko mentioned, test that the
openssl command does indeed cause a crash, then re-apply the
environment variables to see if that prevents it?
Hello,
when I try to connect from Centos7 machine to the ldap server and
there is no NSS export in the dirsrv file, it crashes. I am not using
the cipher option in this case.:
$ openssl version; rpm -qa openssl
OpenSSL 1.0.1e-fips 11 Feb 2013
openssl-1.0.1e-51.el7_2.2.x86_64
$ openssl s_client -connect ldap:636
CONNECTED(00000003)
depth=1 DC = X, CN = CA cert
verify error:num=19:self signed certificate in certificate chain
verify return:0
140122355623840:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:
---
Certificate chain
0 s:/CN=ds1
i:/DC=X/CN=CA cert
1 s:/DC=X/CN=CA cert
i:/DC=X/CN=CA cert
---
Server certificate
-----BEGIN CERTIFICATE-----
ZZZ
-----END CERTIFICATE-----
subject=/CN=ds1
issuer=/DC=X/CN=CA cert
---
Acceptable client certificate CA names
/DC=X/CN=CA cert
/DC=X/CN=DS2 CA cert
---
SSL handshake has read 1360 bytes and written 202 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-GCM-SHA256
Session-ID: 464F740F8FAF113738A1AF18487D382AA5C7B9DA202FD7ADA644A75FD63BC291
Session-ID-ctx:
Master-Key: ZZZ
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1453966206
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Same happens from Fedora23 and Centos6
F23:
$ openssl version;rpm -qa openssl
OpenSSL 1.0.2e-fips 3 Dec 2015
openssl-1.0.2e-3.fc23.x86_64
C6:
$ openssl version; rpm -qa openssl
OpenSSL 1.0.1e-fips 11 Feb 2013
openssl-1.0.1e-30.el6_6.5.x86_64
From Centos5 is OK:
$ openssl version;rpm -qa openssl
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
openssl-0.9.8e-32.el5_11
with "export NSS_DISABLE_HW_GCM=1", there are no crashes, with and
without the cipher option. Moreover, with the cipher option it says:
CONNECTED(00000003)
139960478934944:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:744:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 119 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
With "export NSS_DISABLE_HW_AES=1" there are no crashes.
I have a secondary LDAP server, who has the following software versions:
389-admin-1.1.35-1.el6.x86_64
389-adminutil-1.1.19-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-1.2.11.15-48.el6_6.x86_64
389-ds-base-libs-1.2.11.15-48.el6_6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
nss-3.16.2.3-3.el6_6.x86_64
It was OK with all the stuff I was throwing on it.
After the update to the following versions:
389-admin-1.1.35-1.el6.x86_64
389-adminutil-1.1.19-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-console-1.1.7-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
nss-3.19.1-8.el6_7.x86_64
it started crashing.
Many thanks for your help