Hello,
After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the following issue on LDAPS:
ldap_url_parse_ext(ldaps://ldap.curs.pub.ro) ldap_create ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.curs.pub.ro:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 141.85.241.48:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=303, written=303 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq... 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l. 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u. 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H.. 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0...... 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'...... 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............ 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................ 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............ 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0.............. 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................ 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................ 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............ 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._.... TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=5 0000: 15 03 03 00 02 ..... tls_read: want=2, got=2 0000: 02 50 .P TLS trace: SSL3 alert read:fatal:internal error TLS trace: SSL_connect:error in error TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
All the things remained the same like before upgrading. I see tihs internal error and I could not find any hints about it. Did someone hit this issue?
Thank you, Mihai Carabas
Hey there,
Can you send us the access log of the connection attempt, as well as the command line options you used to make the connection?
Thanks!
On 17 Sep 2019, at 16:40, Mihai Carabas mihai.carabas@gmail.com wrote:
Hello,
After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the following issue on LDAPS:
ldap_url_parse_ext(ldaps://ldap.curs.pub.ro) ldap_create ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.curs.pub.ro:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 141.85.241.48:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=303, written=303 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq... 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l. 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u. 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H.. 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0...... 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'...... 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............ 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................ 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............ 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0.............. 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................ 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................ 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............ 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._.... TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=5 0000: 15 03 03 00 02 ..... tls_read: want=2, got=2 0000: 02 50 .P TLS trace: SSL3 alert read:fatal:internal error TLS trace: SSL_connect:error in error TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
All the things remained the same like before upgrading. I see tihs internal error and I could not find any hints about it. Did someone hit this issue?
Thank you, Mihai Carabas _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
On 9/17/19 10:42 AM, William Brown wrote:
Hey there,
Can you send us the access log of the connection attempt, as well as the command line options you used to make the connection?
What was the previous version of DS you were using?
Thanks!
On 17 Sep 2019, at 16:40, Mihai Carabas mihai.carabas@gmail.com wrote:
Hello,
After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the following issue on LDAPS:
ldap_url_parse_ext(ldaps://ldap.curs.pub.ro) ldap_create ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.curs.pub.ro:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 141.85.241.48:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=303, written=303 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq... 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l. 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u. 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H.. 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0...... 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'...... 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............ 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................ 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............ 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0.............. 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................ 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................ 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............ 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._.... TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=5 0000: 15 03 03 00 02 ..... tls_read: want=2, got=2 0000: 02 50 .P TLS trace: SSL3 alert read:fatal:internal error TLS trace: SSL_connect:error in error TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
All the things remained the same like before upgrading. I see tihs internal error and I could not find any hints about it. Did someone hit this issue?
Thank you, Mihai Carabas _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On Tue, Sep 17, 2019 at 5:49 PM Mark Reynolds mreynolds@redhat.com wrote:
On 9/17/19 10:42 AM, William Brown wrote:
Hey there,
Can you send us the access log of the connection attempt, as well as the command line options you used to make the connection?
What was the previous version of DS you were using?
1.4.0.20
Thanks!
On 17 Sep 2019, at 16:40, Mihai Carabas mihai.carabas@gmail.com wrote:
Hello,
After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the following issue on LDAPS:
ldap_url_parse_ext(ldaps://ldap.curs.pub.ro) ldap_create ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.curs.pub.ro:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 141.85.241.48:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=303, written=303 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq... 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l. 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u. 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H.. 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0...... 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'...... 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............ 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................ 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............ 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0.............. 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................ 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................ 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............ 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._.... TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=5 0000: 15 03 03 00 02 ..... tls_read: want=2, got=2 0000: 02 50 .P TLS trace: SSL3 alert read:fatal:internal error TLS trace: SSL_connect:error in error TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
All the things remained the same like before upgrading. I see tihs internal error and I could not find any hints about it. Did someone hit this issue?
Thank you, Mihai Carabas _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
--
389 Directory Server Development Team _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
After investigating, it seems that no cypersuite is available in NSS3.44, from the ones I have:
[17/Sep/2019:17:17:51.043017973 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_null_md5 is not available in NSS 3.44. Ignoring rsa_null_md5 [17/Sep/2019:17:17:51.046184006 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_null_sha is not available in NSS 3.44. Ignoring rsa_null_sha [17/Sep/2019:17:17:51.049197624 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc4_128_md5 is not available in NSS 3.44. Ignoring rsa_rc4_128_md5 [17/Sep/2019:17:17:51.052249745 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc4_40_md5 is not available in NSS 3.44. Ignoring rsa_rc4_40_md5 [17/Sep/2019:17:17:51.055254561 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc2_40_md5 is not available in NSS 3.44. Ignoring rsa_rc2_40_md5 [17/Sep/2019:17:17:51.058247777 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_des_sha is not available in NSS 3.44. Ignoring rsa_des_sha [17/Sep/2019:17:17:51.061275196 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_fips_des_sha is not available in NSS 3.44. Ignoring rsa_fips_des_sha [17/Sep/2019:17:17:51.064327017 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_3des_sha is not available in NSS 3.44. Ignoring rsa_3des_sha [17/Sep/2019:17:17:51.067376038 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_fips_3des_sha is not available in NSS 3.44. Ignoring rsa_fips_3des_sha [17/Sep/2019:17:17:51.070412458 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza is not available in NSS 3.44. Ignoring fortezza [17/Sep/2019:17:17:51.073432076 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.44. Ignoring fortezza_rc4_128_sha [17/Sep/2019:17:17:51.076475196 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza_null is not available in NSS 3.44. Ignoring fortezza_null [17/Sep/2019:17:17:51.079531618 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_export1024_with_rc4_56_sha is not available in NSS 3.44. Ignoring tls_rsa_export1024_with_rc4_56_sha [17/Sep/2019:17:17:51.082648346 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_export1024_with_des_cbc_sha is not available in NSS 3.44. Ignoring tls_rsa_export1024_with_des_cbc_sha [17/Sep/2019:17:17:51.085715470 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_aes_128_sha is not available in NSS 3.44. Ignoring tls_rsa_aes_128_sha [17/Sep/2019:17:17:51.088832198 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_aes_256_sha is not available in NSS 3.44. Ignoring tls_rsa_aes_256_sha [17/Sep/2019:17:17:51.092772913 +0300] - WARN - Security Initialization - SSL alert: Failed to set SSL cipher preference information: No active cipher suite is available. (Netscape Portable Runtime error 0 - no error)
What other cyphers should I add? Is there a recommandtion?
On Tue, Sep 17, 2019 at 5:42 PM William Brown wbrown@suse.de wrote:
Hey there,
Can you send us the access log of the connection attempt, as well as the command line options you used to make the connection?
Thanks!
On 17 Sep 2019, at 16:40, Mihai Carabas mihai.carabas@gmail.com wrote:
Hello,
After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the following issue on LDAPS:
ldap_url_parse_ext(ldaps://ldap.curs.pub.ro) ldap_create ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.curs.pub.ro:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 141.85.241.48:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=303, written=303 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq... 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l. 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u. 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H.. 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0...... 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'...... 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............ 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................ 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............ 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0.............. 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................ 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................ 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............ 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._.... TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=5 0000: 15 03 03 00 02 ..... tls_read: want=2, got=2 0000: 02 50 .P TLS trace: SSL3 alert read:fatal:internal error TLS trace: SSL_connect:error in error TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
All the things remained the same like before upgrading. I see tihs internal error and I could not find any hints about it. Did someone hit this issue?
Thank you, Mihai Carabas _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 9/17/19 10:48 AM, Mihai Carabas wrote:
After investigating, it seems that no cypersuite is available in NSS3.44, from the ones I have:
[17/Sep/2019:17:17:51.043017973 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_null_md5 is not available in NSS 3.44. Ignoring rsa_null_md5 [17/Sep/2019:17:17:51.046184006 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_null_sha is not available in NSS 3.44. Ignoring rsa_null_sha [17/Sep/2019:17:17:51.049197624 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc4_128_md5 is not available in NSS 3.44. Ignoring rsa_rc4_128_md5 [17/Sep/2019:17:17:51.052249745 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc4_40_md5 is not available in NSS 3.44. Ignoring rsa_rc4_40_md5 [17/Sep/2019:17:17:51.055254561 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc2_40_md5 is not available in NSS 3.44. Ignoring rsa_rc2_40_md5 [17/Sep/2019:17:17:51.058247777 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_des_sha is not available in NSS 3.44. Ignoring rsa_des_sha [17/Sep/2019:17:17:51.061275196 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_fips_des_sha is not available in NSS 3.44. Ignoring rsa_fips_des_sha [17/Sep/2019:17:17:51.064327017 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_3des_sha is not available in NSS 3.44. Ignoring rsa_3des_sha [17/Sep/2019:17:17:51.067376038 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_fips_3des_sha is not available in NSS 3.44. Ignoring rsa_fips_3des_sha [17/Sep/2019:17:17:51.070412458 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza is not available in NSS 3.44. Ignoring fortezza [17/Sep/2019:17:17:51.073432076 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.44. Ignoring fortezza_rc4_128_sha [17/Sep/2019:17:17:51.076475196 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza_null is not available in NSS 3.44. Ignoring fortezza_null [17/Sep/2019:17:17:51.079531618 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_export1024_with_rc4_56_sha is not available in NSS 3.44. Ignoring tls_rsa_export1024_with_rc4_56_sha [17/Sep/2019:17:17:51.082648346 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_export1024_with_des_cbc_sha is not available in NSS 3.44. Ignoring tls_rsa_export1024_with_des_cbc_sha [17/Sep/2019:17:17:51.085715470 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_aes_128_sha is not available in NSS 3.44. Ignoring tls_rsa_aes_128_sha [17/Sep/2019:17:17:51.088832198 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_aes_256_sha is not available in NSS 3.44. Ignoring tls_rsa_aes_256_sha [17/Sep/2019:17:17:51.092772913 +0300] - WARN - Security Initialization - SSL alert: Failed to set SSL cipher preference information: No active cipher suite is available. (Netscape Portable Runtime error 0 - no error)
What other cyphers should I add? Is there a recommandtion?
Use the NSS defaults by either removing "nsSSL3Ciphers" from cn=encryption,cn=config, or setting it to "default". If you directly edit dse.ldif then make sure the server is stopped first. If you use ldapmodify then you need to restart the server for the change to take effect
HTH, Mark
On Tue, Sep 17, 2019 at 5:42 PM William Brown wbrown@suse.de wrote:
Hey there,
Can you send us the access log of the connection attempt, as well as the command line options you used to make the connection?
Thanks!
On 17 Sep 2019, at 16:40, Mihai Carabas mihai.carabas@gmail.com wrote:
Hello,
After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the following issue on LDAPS:
ldap_url_parse_ext(ldaps://ldap.curs.pub.ro) ldap_create ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.curs.pub.ro:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 141.85.241.48:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=303, written=303 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq... 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l. 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u. 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H.. 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0...... 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'...... 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............ 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................ 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............ 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0.............. 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................ 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................ 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............ 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._.... TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=5 0000: 15 03 03 00 02 ..... tls_read: want=2, got=2 0000: 02 50 .P TLS trace: SSL3 alert read:fatal:internal error TLS trace: SSL_connect:error in error TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
All the things remained the same like before upgrading. I see tihs internal error and I could not find any hints about it. Did someone hit this issue?
Thank you, Mihai Carabas _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On Tue, Sep 17, 2019 at 5:54 PM Mark Reynolds mreynolds@redhat.com wrote:
On 9/17/19 10:48 AM, Mihai Carabas wrote:
After investigating, it seems that no cypersuite is available in NSS3.44, from the ones I have:
[17/Sep/2019:17:17:51.043017973 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_null_md5 is not available in NSS 3.44. Ignoring rsa_null_md5 [17/Sep/2019:17:17:51.046184006 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_null_sha is not available in NSS 3.44. Ignoring rsa_null_sha [17/Sep/2019:17:17:51.049197624 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc4_128_md5 is not available in NSS 3.44. Ignoring rsa_rc4_128_md5 [17/Sep/2019:17:17:51.052249745 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc4_40_md5 is not available in NSS 3.44. Ignoring rsa_rc4_40_md5 [17/Sep/2019:17:17:51.055254561 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc2_40_md5 is not available in NSS 3.44. Ignoring rsa_rc2_40_md5 [17/Sep/2019:17:17:51.058247777 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_des_sha is not available in NSS 3.44. Ignoring rsa_des_sha [17/Sep/2019:17:17:51.061275196 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_fips_des_sha is not available in NSS 3.44. Ignoring rsa_fips_des_sha [17/Sep/2019:17:17:51.064327017 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_3des_sha is not available in NSS 3.44. Ignoring rsa_3des_sha [17/Sep/2019:17:17:51.067376038 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_fips_3des_sha is not available in NSS 3.44. Ignoring rsa_fips_3des_sha [17/Sep/2019:17:17:51.070412458 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza is not available in NSS 3.44. Ignoring fortezza [17/Sep/2019:17:17:51.073432076 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.44. Ignoring fortezza_rc4_128_sha [17/Sep/2019:17:17:51.076475196 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza_null is not available in NSS 3.44. Ignoring fortezza_null [17/Sep/2019:17:17:51.079531618 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_export1024_with_rc4_56_sha is not available in NSS 3.44. Ignoring tls_rsa_export1024_with_rc4_56_sha [17/Sep/2019:17:17:51.082648346 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_export1024_with_des_cbc_sha is not available in NSS 3.44. Ignoring tls_rsa_export1024_with_des_cbc_sha [17/Sep/2019:17:17:51.085715470 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_aes_128_sha is not available in NSS 3.44. Ignoring tls_rsa_aes_128_sha [17/Sep/2019:17:17:51.088832198 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_aes_256_sha is not available in NSS 3.44. Ignoring tls_rsa_aes_256_sha [17/Sep/2019:17:17:51.092772913 +0300] - WARN - Security Initialization - SSL alert: Failed to set SSL cipher preference information: No active cipher suite is available. (Netscape Portable Runtime error 0 - no error)
What other cyphers should I add? Is there a recommandtion?
Use the NSS defaults by either removing "nsSSL3Ciphers" from cn=encryption,cn=config, or setting it to "default". If you directly edit dse.ldif then make sure the server is stopped first. If you use ldapmodify then you need to restart the server for the change to take effect
Awesome. Thank you Mark!
HTH, Mark
On Tue, Sep 17, 2019 at 5:42 PM William Brown wbrown@suse.de wrote:
Hey there,
Can you send us the access log of the connection attempt, as well as the command line options you used to make the connection?
Thanks!
On 17 Sep 2019, at 16:40, Mihai Carabas mihai.carabas@gmail.com wrote:
Hello,
After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the following issue on LDAPS:
ldap_url_parse_ext(ldaps://ldap.curs.pub.ro) ldap_create ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.curs.pub.ro:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 141.85.241.48:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=303, written=303 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq... 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l. 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u. 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H.. 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0...... 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'...... 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............ 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................ 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............ 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0.............. 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................ 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................ 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............ 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._.... TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=5 0000: 15 03 03 00 02 ..... tls_read: want=2, got=2 0000: 02 50 .P TLS trace: SSL3 alert read:fatal:internal error TLS trace: SSL_connect:error in error TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
All the things remained the same like before upgrading. I see tihs internal error and I could not find any hints about it. Did someone hit this issue?
Thank you, Mihai Carabas _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
--
389 Directory Server Development Team
389-users@lists.fedoraproject.org
-
Mark Reynolds -
Mihai Carabas -
William Brown