<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/19/2013 10:43 AM, Darcy Hodgson
wrote:<br>
</div>
<blockquote
cite="mid:CAN5N0sFU0LfE+OZFid3nq+CATvpQ_67f=T83Uz8_RtkUwZ1sAg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra">
<div class="gmail_quote">On Fri, Jul 19, 2013 at 11:37 AM,
Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 07/19/2013 08:38 AM, Darcy Hodgson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Jul 19, 2013
at 10:00 AM, Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 07/19/2013 06:43 AM, Darcy
Hodgson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,<br>
<br>
I have been setting up SSL/TLS
with 389 DS on CentOS 6.4. I
have been able to get it working
and can connect with LDAPS.
However when I started to
disabled some of the ciphers I
noticed that my server wasn't
accepting any of the DHE
ciphers. I enabled all the
ciphers with +all and used
sslmap to confirm that the
server was only choosing RSA.<br>
<br>
I checked the logs and the only
thing they say is "Cannot
communicate securely with peer:
no common encryption
algorithm(s)."<br>
<br>
Any help getting the DHE ciphers
to work or pointing me to some
documentation would be
appreciated.<br>
</div>
</blockquote>
<br>
</div>
</div>
Can you please provide the exact steps
to reproduce the issue? Please include
the versions of the nspr, nss, openldap,
and 389-ds-base packages.<br>
Have you tried openssl s_client?<br>
<br>
<blockquote type="cite">
<div dir="ltr"> <br>
<br>
Thanks,<br>
<br>
Darcy<br>
<div class="gmail_quote">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div> Here is the requested software
installed.</div>
<div><br>
</div>
<div>openssh-5.3p1-84.1.el6.x86_64</div>
<div>
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64</div>
<div>openssh-clients-5.3p1-84.1.el6.x86_64</div>
<div>nspr-4.9.2-1.el6.x86_64</div>
<div>nss-sysinit-3.14.0.0-12.el6.x86_64</div>
<div>openldap-2.4.23-32.el6_4.1.x86_64</div>
<div>
nss-softokn-freebl-3.12.9-11.el6.x86_64</div>
<div>openssh-server-5.3p1-84.1.el6.x86_64</div>
<div>nss-softokn-3.12.9-11.el6.x86_64</div>
<div>openldap-clients-2.4.23-32.el6_4.1.x86_64</div>
<div>389-ds-base-1.2.11.15-14.el6_4.x86_64</div>
<div>nss-util-3.14.0.0-2.el6.x86_64</div>
<div>nss-3.14.0.0-12.el6.x86_64</div>
<div>openssl-1.0.0-27.el6_4.2.x86_64</div>
<div>nss-tools-3.14.0.0-12.el6.x86_64</div>
<div><br>
</div>
<div>Here is my encryption settings.</div>
<div> <br>
</div>
<div>dn: cn=encryption,cn=config</div>
<div>objectClass: top</div>
<div>objectClass: nsEncryptionConfig</div>
<div>cn: encryption</div>
<div>nsSSLSessionTimeout: 0</div>
<div>nsSSLClientAuth: allowed</div>
<div>nsSSL2: off</div>
<div>nsSSL3: off</div>
<div>nsSSL3Ciphers: +all</div>
<div>creatorsName:
cn=server,cn=plugins,cn=config</div>
<div>modifiersName:
cn=server,cn=plugins,cn=config</div>
<div>createTimestamp: 20130702171319Z</div>
<div>modifyTimestamp: 20130702171319Z</div>
<div>numSubordinates: 1</div>
<div><br>
</div>
<div>dn: cn=RSA,cn=encryption,cn=config</div>
<div>changetype: add</div>
<div>objectclass: top</div>
<div>objectclass: nsEncryptionModule</div>
<div>cn: RSA</div>
<div>nsSSLPersonalitySSL: test-cert</div>
<div>nsSSLToken: internal (software)</div>
<div>nsSSLActivation: on</div>
<div><br>
</div>
<div><br>
</div>
<div>I installed everything via Yum and only
added the encryption settings and
"nsslapd-security: on" after going through
the setup-ds script.</div>
<div><br>
</div>
<div>When I run openssl s_client -connect
localhost:636 it connects fine with
AES256-SHA</div>
<div><br>
</div>
<div><br>
</div>
<div>When I specify a cipher it fails the
handshake.</div>
<div><br>
</div>
<div>root@ldap01 ~]# openssl s_client
-connect localhost:636 -cipher
DHE-DSS-AES128-SHA</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
try adding -debug - let's see if s_client will tell us
the list of ciphers the server says are available<br>
<br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>CONNECTED(00000003)</div>
<div>139667370157896:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:674:</div>
<div>---</div>
<div>no peer certificate available</div>
<div>---</div>
<div>No client certificate CA names sent</div>
<div>---</div>
<div>SSL handshake has read 7 bytes and
written 58 bytes</div>
<div>---</div>
<div>New, (NONE), Cipher is (NONE)</div>
<div>Secure Renegotiation IS NOT supported</div>
<div>Compression: NONE</div>
<div>Expansion: NONE</div>
<div>---</div>
<div>[root@ldap01 ~]# </div>
<div><br>
</div>
<div>I checked on the redhat site and
DHE-DSS-AES128-SHA should be included
(tls_dhe_dss_aes_128_sha).</div>
<div> <br>
</div>
<div><br>
</div>
<div>-Darcy</div>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
<div><br>
</div>
<div>I can see the 29 ciphers (didn't want to translete them
all) that openssl is sending within the client hello
message.</div>
<div><br>
</div>
<div>...</div>
<div>0080 cf 00 00 3a 00 39 00 38 00 88 00 87 00 35 00 84
...:.9.8 .....5..</div>
<div>0090 00 16 00 13 00 0a 00 33 00 32 00 9a 00 99 00 45
.......3 .2.....E</div>
<div>00a0 00 44 00 2f 00 96 00 41 00 05 00 04 00 15 00 12
.D./...A ........</div>
<div>00b0 00 09 00 14 00 11 00 08 00 06 00 03 00 ff</div>
<div>...</div>
<div><br>
</div>
<div>But the server only sends back the one it has selected
in the server hello message</div>
<div><br>
</div>
<div>Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)</div>
<div><br>
</div>
<div><br>
</div>
<div>When I use the debug and force the cipher I get the
following:</div>
<div><br>
</div>
<div>[root@ldap01 ~]# openssl s_client -connect
localhost:636 -cipher DHE-DSS-AES128-SHA -debug</div>
<div>
CONNECTED(00000003)</div>
<div>write to 0x2023a30 [0x20c3990] (58 bytes => 58
(0x3A))</div>
<div>0000 - 16 03 01 00 35 01 00 00-31 03 01 51 e9 69 34 22
....5...1..Q.i4"</div>
<div>0010 - 3d f2 28 38 66 ea 10 81-9f 3e e9 3a 43 39 b1 d8
=.(8f....>.:C9..</div>
<div>0020 - 27 7f af 5b 6e 6d ff b1-db 20 ae 00 00 04 00 32
'..[nm... .....2</div>
<div>0030 - 00 ff 01 00 00 04 00 23-
.......#</div>
<div>003a - <SPACES/NULS></div>
<div>read from 0x2023a30 [0x20c8ef0] (7 bytes => 7 (0x7))</div>
<div>0000 - 15 03 01 00 02 02 28
......(</div>
<div>139928132474696:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:674:</div>
<div>---</div>
<div>no peer certificate available</div>
<div>---</div>
<div>No client certificate CA names sent</div>
<div>---</div>
<div>SSL handshake has read 7 bytes and written 58 bytes</div>
<div>---</div>
<div>New, (NONE), Cipher is (NONE)</div>
<div>Secure Renegotiation IS NOT supported</div>
<div>Compression: NONE</div>
<div>Expansion: NONE</div>
<div>---</div>
<div>[root@ldap01 ~]# </div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
Ok. Please file a ticket at <a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/newticket">https://fedorahosted.org/389/newticket</a><br>
<blockquote
cite="mid:CAN5N0sFU0LfE+OZFid3nq+CATvpQ_67f=T83Uz8_RtkUwZ1sAg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>