[389-users] Fwd: Some cipher suites not working

Darcy Hodgson darcy at darcyhodgson.com
Fri Jul 19 17:18:18 UTC 2013 

Will do. Thanks.


On Fri, Jul 19, 2013 at 12:45 PM, Rich Megginson <rmeggins at redhat.com>wrote:

>  On 07/19/2013 10:43 AM, Darcy Hodgson wrote:
>
>
>  On Fri, Jul 19, 2013 at 11:37 AM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>>   On 07/19/2013 08:38 AM, Darcy Hodgson wrote:
>>
>>
>>
>>
>> On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson <rmeggins at redhat.com>wrote:
>>
>>>   On 07/19/2013 06:43 AM, Darcy Hodgson wrote:
>>>
>>> Hello,
>>>
>>> I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have been
>>> able to get it working and can connect with LDAPS. However when I started
>>> to disabled some of the ciphers I noticed that my server wasn't accepting
>>> any of the DHE ciphers. I enabled all the ciphers with +all and used sslmap
>>> to confirm that the server was only choosing RSA.
>>>
>>> I checked the logs and the only thing they say is "Cannot communicate
>>> securely with peer: no common encryption algorithm(s)."
>>>
>>> Any help getting the DHE ciphers to work or pointing me to some
>>> documentation would be appreciated.
>>>
>>>
>>>  Can you please provide the exact steps to reproduce the issue?  Please
>>> include the versions of the nspr, nss, openldap, and 389-ds-base packages.
>>> Have you tried openssl s_client?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Darcy
>>>
>>>
>>>        Here is the requested software installed.
>>
>>  openssh-5.3p1-84.1.el6.x86_64
>>  389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
>> openssh-clients-5.3p1-84.1.el6.x86_64
>> nspr-4.9.2-1.el6.x86_64
>> nss-sysinit-3.14.0.0-12.el6.x86_64
>> openldap-2.4.23-32.el6_4.1.x86_64
>>  nss-softokn-freebl-3.12.9-11.el6.x86_64
>> openssh-server-5.3p1-84.1.el6.x86_64
>> nss-softokn-3.12.9-11.el6.x86_64
>> openldap-clients-2.4.23-32.el6_4.1.x86_64
>> 389-ds-base-1.2.11.15-14.el6_4.x86_64
>> nss-util-3.14.0.0-2.el6.x86_64
>> nss-3.14.0.0-12.el6.x86_64
>> openssl-1.0.0-27.el6_4.2.x86_64
>> nss-tools-3.14.0.0-12.el6.x86_64
>>
>>  Here is my encryption settings.
>>
>>  dn: cn=encryption,cn=config
>> objectClass: top
>> objectClass: nsEncryptionConfig
>> cn: encryption
>> nsSSLSessionTimeout: 0
>> nsSSLClientAuth: allowed
>> nsSSL2: off
>> nsSSL3: off
>> nsSSL3Ciphers: +all
>> creatorsName: cn=server,cn=plugins,cn=config
>> modifiersName: cn=server,cn=plugins,cn=config
>> createTimestamp: 20130702171319Z
>> modifyTimestamp: 20130702171319Z
>> numSubordinates: 1
>>
>>  dn: cn=RSA,cn=encryption,cn=config
>> changetype: add
>> objectclass: top
>> objectclass: nsEncryptionModule
>> cn: RSA
>> nsSSLPersonalitySSL: test-cert
>> nsSSLToken: internal (software)
>> nsSSLActivation: on
>>
>>
>>  I installed everything via Yum and only added the encryption settings
>> and "nsslapd-security: on" after going through the setup-ds script.
>>
>>  When I run openssl s_client -connect localhost:636 it connects fine
>> with AES256-SHA
>>
>>
>>  When I specify a cipher it fails the handshake.
>>
>>  root at ldap01 ~]# openssl s_client -connect localhost:636 -cipher
>> DHE-DSS-AES128-SHA
>>
>>
>>  try adding -debug - let's see if s_client will tell us the list of
>> ciphers the server says are available
>>
>>    CONNECTED(00000003)
>> 139667370157896:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
>> alert handshake failure:s23_clnt.c:674:
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 7 bytes and written 58 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> ---
>> [root at ldap01 ~]#
>>
>>  I checked on the redhat site and DHE-DSS-AES128-SHA should be included
>> (tls_dhe_dss_aes_128_sha).
>>
>>
>>  -Darcy
>>
>>
>>
>  I can see the 29 ciphers (didn't want to translete them all) that
> openssl is sending within the client hello message.
>
>  ...
> 0080  cf 00 00 3a 00 39 00 38  00 88 00 87 00 35 00 84   ...:.9.8 .....5..
> 0090  00 16 00 13 00 0a 00 33  00 32 00 9a 00 99 00 45   .......3 .2.....E
> 00a0  00 44 00 2f 00 96 00 41  00 05 00 04 00 15 00 12   .D./...A ........
> 00b0  00 09 00 14 00 11 00 08  00 06 00 03 00 ff
> ...
>
>  But the server only sends back the one it has selected in the server
> hello message
>
>  Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
>
>
>  When I use the debug and force the cipher I get the following:
>
>  [root at ldap01 ~]# openssl s_client -connect localhost:636 -cipher
> DHE-DSS-AES128-SHA -debug
>  CONNECTED(00000003)
> write to 0x2023a30 [0x20c3990] (58 bytes => 58 (0x3A))
> 0000 - 16 03 01 00 35 01 00 00-31 03 01 51 e9 69 34 22   ....5...1..Q.i4"
> 0010 - 3d f2 28 38 66 ea 10 81-9f 3e e9 3a 43 39 b1 d8   =.(8f....>.:C9..
> 0020 - 27 7f af 5b 6e 6d ff b1-db 20 ae 00 00 04 00 32   '..[nm... .....2
> 0030 - 00 ff 01 00 00 04 00 23-                          .......#
> 003a - <SPACES/NULS>
> read from 0x2023a30 [0x20c8ef0] (7 bytes => 7 (0x7))
> 0000 - 15 03 01 00 02 02 28                              ......(
> 139928132474696:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:674:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 58 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> [root at ldap01 ~]#
>
>    Ok.  Please file a ticket at https://fedorahosted.org/389/newticket
>
>
>
>
> --
> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130719/933262b4/attachment.html>

More information about the 389-users mailing list