After investigating, it seems that no cypersuite is available in
NSS3.44, from the ones I have:
[17/Sep/2019:17:17:51.043017973 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_null_md5 is not available
in NSS 3.44. Ignoring rsa_null_md5
[17/Sep/2019:17:17:51.046184006 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_null_sha is not available
in NSS 3.44. Ignoring rsa_null_sha
[17/Sep/2019:17:17:51.049197624 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_rc4_128_md5 is not
available in NSS 3.44. Ignoring rsa_rc4_128_md5
[17/Sep/2019:17:17:51.052249745 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_rc4_40_md5 is not
available in NSS 3.44. Ignoring rsa_rc4_40_md5
[17/Sep/2019:17:17:51.055254561 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_rc2_40_md5 is not
available in NSS 3.44. Ignoring rsa_rc2_40_md5
[17/Sep/2019:17:17:51.058247777 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_des_sha is not available
in NSS 3.44. Ignoring rsa_des_sha
[17/Sep/2019:17:17:51.061275196 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_fips_des_sha is not
available in NSS 3.44. Ignoring rsa_fips_des_sha
[17/Sep/2019:17:17:51.064327017 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_3des_sha is not available
in NSS 3.44. Ignoring rsa_3des_sha
[17/Sep/2019:17:17:51.067376038 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_fips_3des_sha is not
available in NSS 3.44. Ignoring rsa_fips_3des_sha
[17/Sep/2019:17:17:51.070412458 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite fortezza is not available in
NSS 3.44. Ignoring fortezza
[17/Sep/2019:17:17:51.073432076 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite fortezza_rc4_128_sha is not
available in NSS 3.44. Ignoring fortezza_rc4_128_sha
[17/Sep/2019:17:17:51.076475196 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite fortezza_null is not
available in NSS 3.44. Ignoring fortezza_null
[17/Sep/2019:17:17:51.079531618 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite
tls_rsa_export1024_with_rc4_56_sha is not available in NSS 3.44.
Ignoring tls_rsa_export1024_with_rc4_56_sha
[17/Sep/2019:17:17:51.082648346 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite
tls_rsa_export1024_with_des_cbc_sha is not available in NSS 3.44.
Ignoring tls_rsa_export1024_with_des_cbc_sha
[17/Sep/2019:17:17:51.085715470 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite tls_rsa_aes_128_sha is not
available in NSS 3.44. Ignoring tls_rsa_aes_128_sha
[17/Sep/2019:17:17:51.088832198 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite tls_rsa_aes_256_sha is not
available in NSS 3.44. Ignoring tls_rsa_aes_256_sha
[17/Sep/2019:17:17:51.092772913 +0300] - WARN - Security
Initialization - SSL alert: Failed to set SSL cipher preference
information: No active cipher suite is available. (Netscape Portable
Runtime error 0 - no error)
What other cyphers should I add? Is there a recommandtion?
On Tue, Sep 17, 2019 at 5:42 PM William Brown <wbrown(a)suse.de> wrote:
>
> Hey there,
>
> Can you send us the access log of the connection attempt, as well as the command line
options you used to make the connection?
>
> Thanks!
>
> > On 17 Sep 2019, at 16:40, Mihai Carabas <mihai.carabas(a)gmail.com> wrote:
> >
> > Hello,
> >
> > After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the
> > following issue on LDAPS:
> >
> > ldap_url_parse_ext(ldaps://ldap.curs.pub.ro)
> > ldap_create
> > ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base)
> > ldap_sasl_bind
> > ldap_send_initial_request
> > ldap_new_connection 1 1 0
> > ldap_int_open_connection
> > ldap_connect_to_host: TCP ldap.curs.pub.ro:636
> > ldap_new_socket: 3
> > ldap_prepare_socket: 3
> > ldap_connect_to_host: Trying 141.85.241.48:636
> > ldap_pvt_connect: fd: 3 tm: -1 async: 0
> > attempting to connect:
> > connect success
> > TLS trace: SSL_connect:before SSL initialization
> > tls_write: want=303, written=303
> > 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq...
> > 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l.
> > 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u.
> > 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC
> > 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H..
> > 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0......
> > 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'......
> > 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5
> > 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g
> > 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............
> > 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................
> > 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............
> > 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0..............
> > 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................
> > 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................
> > 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............
> > 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L
> > 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w
> > 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._....
> > TLS trace: SSL_connect:SSLv3/TLS write client hello
> > tls_read: want=5, got=5
> > 0000: 15 03 03 00 02 .....
> > tls_read: want=2, got=2
> > 0000: 02 50 .P
> > TLS trace: SSL3 alert read:fatal:internal error
> > TLS trace: SSL_connect:error in error
> > TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1
> > alert internal error.
> > ldap_err2string
> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> >
> > All the things remained the same like before upgrading. I see tihs
> > internal error and I could not find any hints about it. Did someone
> > hit this issue?
> >
> > Thank you,
> > Mihai Carabas
> > _______________________________________________
> > 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...