<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 07/19/2013 06:43 AM, Darcy Hodgson
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,<br>
<br>
I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have
been able to get it working and can connect with LDAPS. However
when I started to disabled some of the ciphers I noticed that my
server wasn't accepting any of the DHE ciphers. I enabled all
the ciphers with +all and used sslmap to confirm that the server
was only choosing RSA.<br>
<br>
I checked the logs and the only thing they say is "Cannot
communicate securely with peer: no common encryption
algorithm(s)."<br>
<br>
Any help getting the DHE ciphers to work or pointing me to some
documentation would be appreciated.<br>
</div>
</blockquote>
<br></div></div>
Can you please provide the exact steps to reproduce the issue?
Please include the versions of the nspr, nss, openldap, and
389-ds-base packages.<br>
Have you tried openssl s_client?<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<br>
<br>
Thanks,<br>
<br>
Darcy<br>
<div class="gmail_quote">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
<div><br></div></div></div></div></div></div></div></div></blockquote></div></blockquote><div> Here is the requested software installed.</div><div><br></div><div>openssh-5.3p1-84.1.el6.x86_64</div><div>
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64</div><div>openssh-clients-5.3p1-84.1.el6.x86_64</div><div>nspr-4.9.2-1.el6.x86_64</div><div>nss-sysinit-3.14.0.0-12.el6.x86_64</div><div>openldap-2.4.23-32.el6_4.1.x86_64</div><div>
nss-softokn-freebl-3.12.9-11.el6.x86_64</div><div>openssh-server-5.3p1-84.1.el6.x86_64</div><div>nss-softokn-3.12.9-11.el6.x86_64</div><div>openldap-clients-2.4.23-32.el6_4.1.x86_64</div><div>389-ds-base-1.2.11.15-14.el6_4.x86_64</div>
<div>nss-util-3.14.0.0-2.el6.x86_64</div><div>nss-3.14.0.0-12.el6.x86_64</div><div>openssl-1.0.0-27.el6_4.2.x86_64</div><div>nss-tools-3.14.0.0-12.el6.x86_64</div><div><br></div><div>Here is my encryption settings.</div><div>
<br></div><div>dn: cn=encryption,cn=config</div><div>objectClass: top</div><div>objectClass: nsEncryptionConfig</div><div>cn: encryption</div><div>nsSSLSessionTimeout: 0</div><div>nsSSLClientAuth: allowed</div><div>nsSSL2: off</div>
<div>nsSSL3: off</div><div>nsSSL3Ciphers: +all</div><div>creatorsName: cn=server,cn=plugins,cn=config</div><div>modifiersName: cn=server,cn=plugins,cn=config</div><div>createTimestamp: 20130702171319Z</div><div>modifyTimestamp: 20130702171319Z</div>
<div>numSubordinates: 1</div><div><br></div><div>dn: cn=RSA,cn=encryption,cn=config</div><div>changetype: add</div><div>objectclass: top</div><div>objectclass: nsEncryptionModule</div><div>cn: RSA</div><div>nsSSLPersonalitySSL: test-cert</div>
<div>nsSSLToken: internal (software)</div><div>nsSSLActivation: on</div><div><br></div><div><br></div><div>I installed everything via Yum and only added the encryption settings and "nsslapd-security: on" after going through the setup-ds script.</div>
<div><br></div><div>When I run openssl s_client -connect localhost:636 it connects fine with AES256-SHA</div><div><br></div><div><br></div><div>When I specify a cipher it fails the handshake.</div><div><br></div><div>root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher DHE-DSS-AES128-SHA</div>
<div>CONNECTED(00000003)</div><div>139667370157896:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:674:</div><div>---</div><div>no peer certificate available</div><div>---</div>
<div>No client certificate CA names sent</div><div>---</div><div>SSL handshake has read 7 bytes and written 58 bytes</div><div>---</div><div>New, (NONE), Cipher is (NONE)</div><div>Secure Renegotiation IS NOT supported</div>
<div>Compression: NONE</div><div>Expansion: NONE</div><div>---</div><div>[root@ldap01 ~]# </div><div><br></div><div>I checked on the redhat site and DHE-DSS-AES128-SHA should be included (tls_dhe_dss_aes_128_sha).</div><div>
<br></div><div><br></div><div>-Darcy</div></div><br></div></div>