<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Fri, Jul 19, 2013 at 11:37 AM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div>
<div>On 07/19/2013 08:38 AM, Darcy Hodgson
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Jul 19, 2013 at 10:00 AM,
Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 07/19/2013 06:43 AM, Darcy Hodgson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,<br>
<br>
I have been setting up SSL/TLS with 389 DS on
CentOS 6.4. I have been able to get it working
and can connect with LDAPS. However when I
started to disabled some of the ciphers I
noticed that my server wasn't accepting any of
the DHE ciphers. I enabled all the ciphers with
+all and used sslmap to confirm that the server
was only choosing RSA.<br>
<br>
I checked the logs and the only thing they say
is "Cannot communicate securely with peer: no
common encryption algorithm(s)."<br>
<br>
Any help getting the DHE ciphers to work or
pointing me to some documentation would be
appreciated.<br>
</div>
</blockquote>
<br>
</div>
</div>
Can you please provide the exact steps to reproduce the
issue? Please include the versions of the nspr, nss,
openldap, and 389-ds-base packages.<br>
Have you tried openssl s_client?<br>
<br>
<blockquote type="cite">
<div dir="ltr"> <br>
<br>
Thanks,<br>
<br>
Darcy<br>
<div class="gmail_quote">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div> Here is the requested software installed.</div>
<div><br>
</div>
<div>openssh-5.3p1-84.1.el6.x86_64</div>
<div>
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64</div>
<div>openssh-clients-5.3p1-84.1.el6.x86_64</div>
<div>nspr-4.9.2-1.el6.x86_64</div>
<div>nss-sysinit-3.14.0.0-12.el6.x86_64</div>
<div>openldap-2.4.23-32.el6_4.1.x86_64</div>
<div>
nss-softokn-freebl-3.12.9-11.el6.x86_64</div>
<div>openssh-server-5.3p1-84.1.el6.x86_64</div>
<div>nss-softokn-3.12.9-11.el6.x86_64</div>
<div>openldap-clients-2.4.23-32.el6_4.1.x86_64</div>
<div>389-ds-base-1.2.11.15-14.el6_4.x86_64</div>
<div>nss-util-3.14.0.0-2.el6.x86_64</div>
<div>nss-3.14.0.0-12.el6.x86_64</div>
<div>openssl-1.0.0-27.el6_4.2.x86_64</div>
<div>nss-tools-3.14.0.0-12.el6.x86_64</div>
<div><br>
</div>
<div>Here is my encryption settings.</div>
<div>
<br>
</div>
<div>dn: cn=encryption,cn=config</div>
<div>objectClass: top</div>
<div>objectClass: nsEncryptionConfig</div>
<div>cn: encryption</div>
<div>nsSSLSessionTimeout: 0</div>
<div>nsSSLClientAuth: allowed</div>
<div>nsSSL2: off</div>
<div>nsSSL3: off</div>
<div>nsSSL3Ciphers: +all</div>
<div>creatorsName: cn=server,cn=plugins,cn=config</div>
<div>modifiersName: cn=server,cn=plugins,cn=config</div>
<div>createTimestamp: 20130702171319Z</div>
<div>modifyTimestamp: 20130702171319Z</div>
<div>numSubordinates: 1</div>
<div><br>
</div>
<div>dn: cn=RSA,cn=encryption,cn=config</div>
<div>changetype: add</div>
<div>objectclass: top</div>
<div>objectclass: nsEncryptionModule</div>
<div>cn: RSA</div>
<div>nsSSLPersonalitySSL: test-cert</div>
<div>nsSSLToken: internal (software)</div>
<div>nsSSLActivation: on</div>
<div><br>
</div>
<div><br>
</div>
<div>I installed everything via Yum and only added the
encryption settings and "nsslapd-security: on" after going
through the setup-ds script.</div>
<div><br>
</div>
<div>When I run openssl s_client -connect localhost:636 it
connects fine with AES256-SHA</div>
<div><br>
</div>
<div><br>
</div>
<div>When I specify a cipher it fails the handshake.</div>
<div><br>
</div>
<div>root@ldap01 ~]# openssl s_client -connect localhost:636
-cipher DHE-DSS-AES128-SHA</div>
</div>
</div>
</div>
</blockquote>
<br></div></div>
try adding -debug - let's see if s_client will tell us the list of
ciphers the server says are available<br>
<br>
<blockquote type="cite"><div>
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>CONNECTED(00000003)</div>
<div>139667370157896:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:674:</div>
<div>---</div>
<div>no peer certificate available</div>
<div>---</div>
<div>No client certificate CA names sent</div>
<div>---</div>
<div>SSL handshake has read 7 bytes and written 58 bytes</div>
<div>---</div>
<div>New, (NONE), Cipher is (NONE)</div>
<div>Secure Renegotiation IS NOT supported</div>
<div>Compression: NONE</div>
<div>Expansion: NONE</div>
<div>---</div>
<div>[root@ldap01 ~]# </div>
<div><br>
</div>
<div>I checked on the redhat site and DHE-DSS-AES128-SHA
should be included (tls_dhe_dss_aes_128_sha).</div>
<div>
<br>
</div>
<div><br>
</div>
<div>-Darcy</div>
</div>
<br>
</div>
</div>
</div></blockquote><br></div></blockquote><div><br></div><div>I can see the 29 ciphers (didn't want to translete them all) that openssl is sending within the client hello message.</div><div><br></div><div>...</div>
<div>0080 cf 00 00 3a 00 39 00 38 00 88 00 87 00 35 00 84 ...:.9.8 .....5..</div><div>0090 00 16 00 13 00 0a 00 33 00 32 00 9a 00 99 00 45 .......3 .2.....E</div><div>00a0 00 44 00 2f 00 96 00 41 00 05 00 04 00 15 00 12 .D./...A ........</div>
<div>00b0 00 09 00 14 00 11 00 08 00 06 00 03 00 ff</div><div>...</div><div><br></div><div>But the server only sends back the one it has selected in the server hello message</div><div><br></div><div>Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)</div>
<div><br></div><div><br></div><div>When I use the debug and force the cipher I get the following:</div><div><br></div><div>[root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher DHE-DSS-AES128-SHA -debug</div><div>
CONNECTED(00000003)</div><div>write to 0x2023a30 [0x20c3990] (58 bytes => 58 (0x3A))</div><div>0000 - 16 03 01 00 35 01 00 00-31 03 01 51 e9 69 34 22 ....5...1..Q.i4"</div><div>0010 - 3d f2 28 38 66 ea 10 81-9f 3e e9 3a 43 39 b1 d8 =.(8f....>.:C9..</div>
<div>0020 - 27 7f af 5b 6e 6d ff b1-db 20 ae 00 00 04 00 32 '..[nm... .....2</div><div>0030 - 00 ff 01 00 00 04 00 23- .......#</div><div>003a - <SPACES/NULS></div><div>read from 0x2023a30 [0x20c8ef0] (7 bytes => 7 (0x7))</div>
<div>0000 - 15 03 01 00 02 02 28 ......(</div><div>139928132474696:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:674:</div><div>---</div><div>no peer certificate available</div>
<div>---</div><div>No client certificate CA names sent</div><div>---</div><div>SSL handshake has read 7 bytes and written 58 bytes</div><div>---</div><div>New, (NONE), Cipher is (NONE)</div><div>Secure Renegotiation IS NOT supported</div>
<div>Compression: NONE</div><div>Expansion: NONE</div><div>---</div><div>[root@ldap01 ~]# </div><div><br></div><div><br></div></div></div>
</div>