[389-users] Fwd: Some cipher suites not working

Darcy Hodgson darcy at darcyhodgson.com
Fri Jul 19 16:43:31 UTC 2013 

On Fri, Jul 19, 2013 at 11:37 AM, Rich Megginson <rmeggins at redhat.com>wrote:

>  On 07/19/2013 08:38 AM, Darcy Hodgson wrote:
>
>
>
>
> On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>>   On 07/19/2013 06:43 AM, Darcy Hodgson wrote:
>>
>> Hello,
>>
>> I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have been
>> able to get it working and can connect with LDAPS. However when I started
>> to disabled some of the ciphers I noticed that my server wasn't accepting
>> any of the DHE ciphers. I enabled all the ciphers with +all and used sslmap
>> to confirm that the server was only choosing RSA.
>>
>> I checked the logs and the only thing they say is "Cannot communicate
>> securely with peer: no common encryption algorithm(s)."
>>
>> Any help getting the DHE ciphers to work or pointing me to some
>> documentation would be appreciated.
>>
>>
>>  Can you please provide the exact steps to reproduce the issue?  Please
>> include the versions of the nspr, nss, openldap, and 389-ds-base packages.
>> Have you tried openssl s_client?
>>
>>
>>
>> Thanks,
>>
>> Darcy
>>
>>
>>        Here is the requested software installed.
>
>  openssh-5.3p1-84.1.el6.x86_64
>  389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
> openssh-clients-5.3p1-84.1.el6.x86_64
> nspr-4.9.2-1.el6.x86_64
> nss-sysinit-3.14.0.0-12.el6.x86_64
> openldap-2.4.23-32.el6_4.1.x86_64
>  nss-softokn-freebl-3.12.9-11.el6.x86_64
> openssh-server-5.3p1-84.1.el6.x86_64
> nss-softokn-3.12.9-11.el6.x86_64
> openldap-clients-2.4.23-32.el6_4.1.x86_64
> 389-ds-base-1.2.11.15-14.el6_4.x86_64
> nss-util-3.14.0.0-2.el6.x86_64
> nss-3.14.0.0-12.el6.x86_64
> openssl-1.0.0-27.el6_4.2.x86_64
> nss-tools-3.14.0.0-12.el6.x86_64
>
>  Here is my encryption settings.
>
>  dn: cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionConfig
> cn: encryption
> nsSSLSessionTimeout: 0
> nsSSLClientAuth: allowed
> nsSSL2: off
> nsSSL3: off
> nsSSL3Ciphers: +all
> creatorsName: cn=server,cn=plugins,cn=config
> modifiersName: cn=server,cn=plugins,cn=config
> createTimestamp: 20130702171319Z
> modifyTimestamp: 20130702171319Z
> numSubordinates: 1
>
>  dn: cn=RSA,cn=encryption,cn=config
> changetype: add
> objectclass: top
> objectclass: nsEncryptionModule
> cn: RSA
> nsSSLPersonalitySSL: test-cert
> nsSSLToken: internal (software)
> nsSSLActivation: on
>
>
>  I installed everything via Yum and only added the encryption settings
> and "nsslapd-security: on" after going through the setup-ds script.
>
>  When I run openssl s_client -connect localhost:636 it connects fine with
> AES256-SHA
>
>
>  When I specify a cipher it fails the handshake.
>
>  root at ldap01 ~]# openssl s_client -connect localhost:636 -cipher
> DHE-DSS-AES128-SHA
>
>
> try adding -debug - let's see if s_client will tell us the list of ciphers
> the server says are available
>
>   CONNECTED(00000003)
> 139667370157896:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:674:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 58 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> [root at ldap01 ~]#
>
>  I checked on the redhat site and DHE-DSS-AES128-SHA should be included
> (tls_dhe_dss_aes_128_sha).
>
>
>  -Darcy
>
>
>
I can see the 29 ciphers (didn't want to translete them all) that openssl
is sending within the client hello message.

...
0080  cf 00 00 3a 00 39 00 38  00 88 00 87 00 35 00 84   ...:.9.8 .....5..
0090  00 16 00 13 00 0a 00 33  00 32 00 9a 00 99 00 45   .......3 .2.....E
00a0  00 44 00 2f 00 96 00 41  00 05 00 04 00 15 00 12   .D./...A ........
00b0  00 09 00 14 00 11 00 08  00 06 00 03 00 ff
...

But the server only sends back the one it has selected in the server hello
message

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)


When I use the debug and force the cipher I get the following:

[root at ldap01 ~]# openssl s_client -connect localhost:636 -cipher
DHE-DSS-AES128-SHA -debug
CONNECTED(00000003)
write to 0x2023a30 [0x20c3990] (58 bytes => 58 (0x3A))
0000 - 16 03 01 00 35 01 00 00-31 03 01 51 e9 69 34 22   ....5...1..Q.i4"
0010 - 3d f2 28 38 66 ea 10 81-9f 3e e9 3a 43 39 b1 d8   =.(8f....>.:C9..
0020 - 27 7f af 5b 6e 6d ff b1-db 20 ae 00 00 04 00 32   '..[nm... .....2
0030 - 00 ff 01 00 00 04 00 23-                          .......#
003a - <SPACES/NULS>
read from 0x2023a30 [0x20c8ef0] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28                              ......(
139928132474696:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:674:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 58 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root at ldap01 ~]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130719/6d847975/attachment.html>

More information about the 389-users mailing list