[389-users] Fwd: Some cipher suites not working

Rich Megginson rmeggins at redhat.com
Fri Jul 19 15:37:19 UTC 2013 

On 07/19/2013 08:38 AM, Darcy Hodgson wrote:
>
>
>
> On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 07/19/2013 06:43 AM, Darcy Hodgson wrote:
>>     Hello,
>>
>>     I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have
>>     been able to get it working and can connect with LDAPS. However
>>     when I started to disabled some of the ciphers I noticed that my
>>     server wasn't accepting any of the DHE ciphers. I enabled all the
>>     ciphers with +all and used sslmap to confirm that the server was
>>     only choosing RSA.
>>
>>     I checked the logs and the only thing they say is "Cannot
>>     communicate securely with peer: no common encryption algorithm(s)."
>>
>>     Any help getting the DHE ciphers to work or pointing me to some
>>     documentation would be appreciated.
>
>     Can you please provide the exact steps to reproduce the issue? 
>     Please include the versions of the nspr, nss, openldap, and
>     389-ds-base packages.
>     Have you tried openssl s_client?
>
>>
>>
>>     Thanks,
>>
>>     Darcy
>>
>>
>  Here is the requested software installed.
>
> openssh-5.3p1-84.1.el6.x86_64
> 389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
> openssh-clients-5.3p1-84.1.el6.x86_64
> nspr-4.9.2-1.el6.x86_64
> nss-sysinit-3.14.0.0-12.el6.x86_64
> openldap-2.4.23-32.el6_4.1.x86_64
> nss-softokn-freebl-3.12.9-11.el6.x86_64
> openssh-server-5.3p1-84.1.el6.x86_64
> nss-softokn-3.12.9-11.el6.x86_64
> openldap-clients-2.4.23-32.el6_4.1.x86_64
> 389-ds-base-1.2.11.15-14.el6_4.x86_64
> nss-util-3.14.0.0-2.el6.x86_64
> nss-3.14.0.0-12.el6.x86_64
> openssl-1.0.0-27.el6_4.2.x86_64
> nss-tools-3.14.0.0-12.el6.x86_64
>
> Here is my encryption settings.
>
> dn: cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionConfig
> cn: encryption
> nsSSLSessionTimeout: 0
> nsSSLClientAuth: allowed
> nsSSL2: off
> nsSSL3: off
> nsSSL3Ciphers: +all
> creatorsName: cn=server,cn=plugins,cn=config
> modifiersName: cn=server,cn=plugins,cn=config
> createTimestamp: 20130702171319Z
> modifyTimestamp: 20130702171319Z
> numSubordinates: 1
>
> dn: cn=RSA,cn=encryption,cn=config
> changetype: add
> objectclass: top
> objectclass: nsEncryptionModule
> cn: RSA
> nsSSLPersonalitySSL: test-cert
> nsSSLToken: internal (software)
> nsSSLActivation: on
>
>
> I installed everything via Yum and only added the encryption settings 
> and "nsslapd-security: on" after going through the setup-ds script.
>
> When I run openssl s_client -connect localhost:636 it connects fine 
> with AES256-SHA
>
>
> When I specify a cipher it fails the handshake.
>
> root at ldap01 ~]# openssl s_client -connect localhost:636 -cipher 
> DHE-DSS-AES128-SHA

try adding -debug - let's see if s_client will tell us the list of 
ciphers the server says are available

> CONNECTED(00000003)
> 139667370157896:error:14077410:SSL 
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
> failure:s23_clnt.c:674:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 58 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> [root at ldap01 ~]#
>
> I checked on the redhat site and DHE-DSS-AES128-SHA should be included 
> (tls_dhe_dss_aes_128_sha).
>
>
> -Darcy
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130719/fbbe4dc5/attachment.html>

More information about the 389-users mailing list