It looks like it just a client connection that is using AES GCM, it hasn't got to process the ldap request yet. I think that the following should work:
openssl s_client -connect LDAPHOSTNAME:636 -cipher ECDHE-RSA-AES256- GCM-SHA384
Should be able to reproduce it. Else, you can wait patiently for the crash to happen again.
Perhaps try unsetting the variables Noriko mentioned, test that the openssl command does indeed cause a crash, then re-apply the environment variables to see if that prevents it?
Hello,
when I try to connect from Centos7 machine to the ldap server and there is no NSS export in the dirsrv file, it crashes. I am not using the cipher option in this case.:
$ openssl version; rpm -qa openssl OpenSSL 1.0.1e-fips 11 Feb 2013 openssl-1.0.1e-51.el7_2.2.x86_64
$ openssl s_client -connect ldap:636
CONNECTED(00000003) depth=1 DC = X, CN = CA cert verify error:num=19:self signed certificate in certificate chain verify return:0 140122355623840:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: --- Certificate chain 0 s:/CN=ds1 i:/DC=X/CN=CA cert 1 s:/DC=X/CN=CA cert i:/DC=X/CN=CA cert --- Server certificate -----BEGIN CERTIFICATE----- ZZZ -----END CERTIFICATE----- subject=/CN=ds1 issuer=/DC=X/CN=CA cert --- Acceptable client certificate CA names /DC=X/CN=CA cert /DC=X/CN=DS2 CA cert --- SSL handshake has read 1360 bytes and written 202 bytes --- New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-GCM-SHA256 Session-ID: 464F740F8FAF113738A1AF18487D382AA5C7B9DA202FD7ADA644A75FD63BC291 Session-ID-ctx: Master-Key: ZZZ Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1453966206 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---
Same happens from Fedora23 and Centos6
F23: $ openssl version;rpm -qa openssl OpenSSL 1.0.2e-fips 3 Dec 2015 openssl-1.0.2e-3.fc23.x86_64
C6: $ openssl version; rpm -qa openssl OpenSSL 1.0.1e-fips 11 Feb 2013 openssl-1.0.1e-30.el6_6.5.x86_64
From Centos5 is OK: $ openssl version;rpm -qa openssl OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 openssl-0.9.8e-32.el5_11
with "export NSS_DISABLE_HW_GCM=1", there are no crashes, with and without the cipher option. Moreover, with the cipher option it says:
CONNECTED(00000003) 139960478934944:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 119 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
With "export NSS_DISABLE_HW_AES=1" there are no crashes.
I have a secondary LDAP server, who has the following software versions:
389-admin-1.1.35-1.el6.x86_64 389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-dsgw-1.1.11-1.el6.x86_64 389-console-1.1.7-1.el6.noarch 389-admin-console-1.1.8-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-base-1.2.11.15-48.el6_6.x86_64 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch
nss-3.16.2.3-3.el6_6.x86_64
It was OK with all the stuff I was throwing on it. After the update to the following versions:
389-admin-1.1.35-1.el6.x86_64 389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-dsgw-1.1.11-1.el6.x86_64 389-ds-base-1.2.11.15-68.el6_7.x86_64 389-console-1.1.7-1.el6.noarch 389-admin-console-1.1.8-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch
nss-3.19.1-8.el6_7.x86_64
it started crashing.
Many thanks for your help