<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/19/2013 08:38 AM, Darcy Hodgson
wrote:<br>
</div>
<blockquote
cite="mid:CAN5N0sEapgpwdERCJMVqOXtZq3ZtFOxKONggvM5cEQY0LZrLgQ@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Jul 19, 2013 at 10:00 AM,
Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 07/19/2013 06:43 AM, Darcy Hodgson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,<br>
<br>
I have been setting up SSL/TLS with 389 DS on
CentOS 6.4. I have been able to get it working
and can connect with LDAPS. However when I
started to disabled some of the ciphers I
noticed that my server wasn't accepting any of
the DHE ciphers. I enabled all the ciphers with
+all and used sslmap to confirm that the server
was only choosing RSA.<br>
<br>
I checked the logs and the only thing they say
is "Cannot communicate securely with peer: no
common encryption algorithm(s)."<br>
<br>
Any help getting the DHE ciphers to work or
pointing me to some documentation would be
appreciated.<br>
</div>
</blockquote>
<br>
</div>
</div>
Can you please provide the exact steps to reproduce the
issue? Please include the versions of the nspr, nss,
openldap, and 389-ds-base packages.<br>
Have you tried openssl s_client?<br>
<br>
<blockquote type="cite">
<div dir="ltr"> <br>
<br>
Thanks,<br>
<br>
Darcy<br>
<div class="gmail_quote">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div> Here is the requested software installed.</div>
<div><br>
</div>
<div>openssh-5.3p1-84.1.el6.x86_64</div>
<div>
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64</div>
<div>openssh-clients-5.3p1-84.1.el6.x86_64</div>
<div>nspr-4.9.2-1.el6.x86_64</div>
<div>nss-sysinit-3.14.0.0-12.el6.x86_64</div>
<div>openldap-2.4.23-32.el6_4.1.x86_64</div>
<div>
nss-softokn-freebl-3.12.9-11.el6.x86_64</div>
<div>openssh-server-5.3p1-84.1.el6.x86_64</div>
<div>nss-softokn-3.12.9-11.el6.x86_64</div>
<div>openldap-clients-2.4.23-32.el6_4.1.x86_64</div>
<div>389-ds-base-1.2.11.15-14.el6_4.x86_64</div>
<div>nss-util-3.14.0.0-2.el6.x86_64</div>
<div>nss-3.14.0.0-12.el6.x86_64</div>
<div>openssl-1.0.0-27.el6_4.2.x86_64</div>
<div>nss-tools-3.14.0.0-12.el6.x86_64</div>
<div><br>
</div>
<div>Here is my encryption settings.</div>
<div>
<br>
</div>
<div>dn: cn=encryption,cn=config</div>
<div>objectClass: top</div>
<div>objectClass: nsEncryptionConfig</div>
<div>cn: encryption</div>
<div>nsSSLSessionTimeout: 0</div>
<div>nsSSLClientAuth: allowed</div>
<div>nsSSL2: off</div>
<div>nsSSL3: off</div>
<div>nsSSL3Ciphers: +all</div>
<div>creatorsName: cn=server,cn=plugins,cn=config</div>
<div>modifiersName: cn=server,cn=plugins,cn=config</div>
<div>createTimestamp: 20130702171319Z</div>
<div>modifyTimestamp: 20130702171319Z</div>
<div>numSubordinates: 1</div>
<div><br>
</div>
<div>dn: cn=RSA,cn=encryption,cn=config</div>
<div>changetype: add</div>
<div>objectclass: top</div>
<div>objectclass: nsEncryptionModule</div>
<div>cn: RSA</div>
<div>nsSSLPersonalitySSL: test-cert</div>
<div>nsSSLToken: internal (software)</div>
<div>nsSSLActivation: on</div>
<div><br>
</div>
<div><br>
</div>
<div>I installed everything via Yum and only added the
encryption settings and "nsslapd-security: on" after going
through the setup-ds script.</div>
<div><br>
</div>
<div>When I run openssl s_client -connect localhost:636 it
connects fine with AES256-SHA</div>
<div><br>
</div>
<div><br>
</div>
<div>When I specify a cipher it fails the handshake.</div>
<div><br>
</div>
<div>root@ldap01 ~]# openssl s_client -connect localhost:636
-cipher DHE-DSS-AES128-SHA</div>
</div>
</div>
</div>
</blockquote>
<br>
try adding -debug - let's see if s_client will tell us the list of
ciphers the server says are available<br>
<br>
<blockquote
cite="mid:CAN5N0sEapgpwdERCJMVqOXtZq3ZtFOxKONggvM5cEQY0LZrLgQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>CONNECTED(00000003)</div>
<div>139667370157896:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:674:</div>
<div>---</div>
<div>no peer certificate available</div>
<div>---</div>
<div>No client certificate CA names sent</div>
<div>---</div>
<div>SSL handshake has read 7 bytes and written 58 bytes</div>
<div>---</div>
<div>New, (NONE), Cipher is (NONE)</div>
<div>Secure Renegotiation IS NOT supported</div>
<div>Compression: NONE</div>
<div>Expansion: NONE</div>
<div>---</div>
<div>[root@ldap01 ~]# </div>
<div><br>
</div>
<div>I checked on the redhat site and DHE-DSS-AES128-SHA
should be included (tls_dhe_dss_aes_128_sha).</div>
<div>
<br>
</div>
<div><br>
</div>
<div>-Darcy</div>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>