[389-users] Fwd: Some cipher suites not working
Rich Megginson
rmeggins at redhat.com
Fri Jul 19 16:45:20 UTC 2013
On 07/19/2013 10:43 AM, Darcy Hodgson wrote:
>
> On Fri, Jul 19, 2013 at 11:37 AM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 07/19/2013 08:38 AM, Darcy Hodgson wrote:
>>
>>
>>
>> On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>> On 07/19/2013 06:43 AM, Darcy Hodgson wrote:
>>> Hello,
>>>
>>> I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I
>>> have been able to get it working and can connect with LDAPS.
>>> However when I started to disabled some of the ciphers I
>>> noticed that my server wasn't accepting any of the DHE
>>> ciphers. I enabled all the ciphers with +all and used sslmap
>>> to confirm that the server was only choosing RSA.
>>>
>>> I checked the logs and the only thing they say is "Cannot
>>> communicate securely with peer: no common encryption
>>> algorithm(s)."
>>>
>>> Any help getting the DHE ciphers to work or pointing me to
>>> some documentation would be appreciated.
>>
>> Can you please provide the exact steps to reproduce the
>> issue? Please include the versions of the nspr, nss,
>> openldap, and 389-ds-base packages.
>> Have you tried openssl s_client?
>>
>>>
>>>
>>> Thanks,
>>>
>>> Darcy
>>>
>>>
>> Here is the requested software installed.
>>
>> openssh-5.3p1-84.1.el6.x86_64
>> 389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
>> openssh-clients-5.3p1-84.1.el6.x86_64
>> nspr-4.9.2-1.el6.x86_64
>> nss-sysinit-3.14.0.0-12.el6.x86_64
>> openldap-2.4.23-32.el6_4.1.x86_64
>> nss-softokn-freebl-3.12.9-11.el6.x86_64
>> openssh-server-5.3p1-84.1.el6.x86_64
>> nss-softokn-3.12.9-11.el6.x86_64
>> openldap-clients-2.4.23-32.el6_4.1.x86_64
>> 389-ds-base-1.2.11.15-14.el6_4.x86_64
>> nss-util-3.14.0.0-2.el6.x86_64
>> nss-3.14.0.0-12.el6.x86_64
>> openssl-1.0.0-27.el6_4.2.x86_64
>> nss-tools-3.14.0.0-12.el6.x86_64
>>
>> Here is my encryption settings.
>>
>> dn: cn=encryption,cn=config
>> objectClass: top
>> objectClass: nsEncryptionConfig
>> cn: encryption
>> nsSSLSessionTimeout: 0
>> nsSSLClientAuth: allowed
>> nsSSL2: off
>> nsSSL3: off
>> nsSSL3Ciphers: +all
>> creatorsName: cn=server,cn=plugins,cn=config
>> modifiersName: cn=server,cn=plugins,cn=config
>> createTimestamp: 20130702171319Z
>> modifyTimestamp: 20130702171319Z
>> numSubordinates: 1
>>
>> dn: cn=RSA,cn=encryption,cn=config
>> changetype: add
>> objectclass: top
>> objectclass: nsEncryptionModule
>> cn: RSA
>> nsSSLPersonalitySSL: test-cert
>> nsSSLToken: internal (software)
>> nsSSLActivation: on
>>
>>
>> I installed everything via Yum and only added the encryption
>> settings and "nsslapd-security: on" after going through the
>> setup-ds script.
>>
>> When I run openssl s_client -connect localhost:636 it connects
>> fine with AES256-SHA
>>
>>
>> When I specify a cipher it fails the handshake.
>>
>> root at ldap01 ~]# openssl s_client -connect localhost:636 -cipher
>> DHE-DSS-AES128-SHA
>
> try adding -debug - let's see if s_client will tell us the list of
> ciphers the server says are available
>
>> CONNECTED(00000003)
>> 139667370157896:error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>> failure:s23_clnt.c:674:
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 7 bytes and written 58 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> ---
>> [root at ldap01 ~]#
>>
>> I checked on the redhat site and DHE-DSS-AES128-SHA should be
>> included (tls_dhe_dss_aes_128_sha).
>>
>>
>> -Darcy
>>
>
>
> I can see the 29 ciphers (didn't want to translete them all) that
> openssl is sending within the client hello message.
>
> ...
> 0080 cf 00 00 3a 00 39 00 38 00 88 00 87 00 35 00 84 ...:.9.8 .....5..
> 0090 00 16 00 13 00 0a 00 33 00 32 00 9a 00 99 00 45 .......3 .2.....E
> 00a0 00 44 00 2f 00 96 00 41 00 05 00 04 00 15 00 12 .D./...A ........
> 00b0 00 09 00 14 00 11 00 08 00 06 00 03 00 ff
> ...
>
> But the server only sends back the one it has selected in the server
> hello message
>
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
>
>
> When I use the debug and force the cipher I get the following:
>
> [root at ldap01 ~]# openssl s_client -connect localhost:636 -cipher
> DHE-DSS-AES128-SHA -debug
> CONNECTED(00000003)
> write to 0x2023a30 [0x20c3990] (58 bytes => 58 (0x3A))
> 0000 - 16 03 01 00 35 01 00 00-31 03 01 51 e9 69 34 22 ....5...1..Q.i4"
> 0010 - 3d f2 28 38 66 ea 10 81-9f 3e e9 3a 43 39 b1 d8 =.(8f....>.:C9..
> 0020 - 27 7f af 5b 6e 6d ff b1-db 20 ae 00 00 04 00 32 '..[nm... .....2
> 0030 - 00 ff 01 00 00 04 00 23- .......#
> 003a - <SPACES/NULS>
> read from 0x2023a30 [0x20c8ef0] (7 bytes => 7 (0x7))
> 0000 - 15 03 01 00 02 02 28 ......(
> 139928132474696:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:674:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 58 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> [root at ldap01 ~]#
>
Ok. Please file a ticket at https://fedorahosted.org/389/newticket
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130719/b9782b33/attachment.html>
More information about the 389-users
mailing list