On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:
Can you please provide the exact steps to reproduce the issue? Please include the versions of the nspr, nss, openldap, and 389-ds-base packages.On 07/19/2013 06:43 AM, Darcy Hodgson wrote:
Hello,
I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have been able to get it working and can connect with LDAPS. However when I started to disabled some of the ciphers I noticed that my server wasn't accepting any of the DHE ciphers. I enabled all the ciphers with +all and used sslmap to confirm that the server was only choosing RSA.
I checked the logs and the only thing they say is "Cannot communicate securely with peer: no common encryption algorithm(s)."
Any help getting the DHE ciphers to work or pointing me to some documentation would be appreciated.
Have you tried openssl s_client?
Thanks,
Darcy
Here is the requested software installed.
openssh-5.3p1-84.1.el6.x86_64
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
nspr-4.9.2-1.el6.x86_64
nss-sysinit-3.14.0.0-12.el6.x86_64
openldap-2.4.23-32.el6_4.1.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
openssh-server-5.3p1-84.1.el6.x86_64
nss-softokn-3.12.9-11.el6.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
389-ds-base-1.2.11.15-14.el6_4.x86_64
nss-util-3.14.0.0-2.el6.x86_64
nss-3.14.0.0-12.el6.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
nss-tools-3.14.0.0-12.el6.x86_64
Here is my encryption settings.
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
nsSSL3Ciphers: +all
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20130702171319Z
modifyTimestamp: 20130702171319Z
numSubordinates: 1
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: test-cert
nsSSLToken: internal (software)
nsSSLActivation: on
I installed everything via Yum and only added the encryption settings and "nsslapd-security: on" after going through the setup-ds script.
When I run openssl s_client -connect localhost:636 it connects fine with AES256-SHA
When I specify a cipher it fails the handshake.
root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher DHE-DSS-AES128-SHA
CONNECTED(00000003)
139667370157896:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:674:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 58 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root@ldap01 ~]#
I checked on the redhat site and DHE-DSS-AES128-SHA should be included (tls_dhe_dss_aes_128_sha).
-Darcy
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
