Re: Fwd: Some cipher suites not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/19/2013 10:43 AM, Darcy Hodgson wrote:

On Fri, Jul 19, 2013 at 11:37 AM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:
On 07/19/2013 08:38 AM, Darcy Hodgson wrote:



On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:
On 07/19/2013 06:43 AM, Darcy Hodgson wrote:
Hello,

I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have been able to get it working and can connect with LDAPS. However when I started to disabled some of the ciphers I noticed that my server wasn't accepting any of the DHE ciphers. I enabled all the ciphers with +all and used sslmap to confirm that the server was only choosing RSA.

I checked the logs and the only thing they say is "Cannot communicate securely with peer: no common encryption algorithm(s)."

Any help getting the DHE ciphers to work or pointing me to some documentation would be appreciated.

Can you please provide the exact steps to reproduce the issue?  Please include the versions of the nspr, nss, openldap, and 389-ds-base packages.
Have you tried openssl s_client?



Thanks,

Darcy


 Here is the requested software installed.

openssh-5.3p1-84.1.el6.x86_64
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
nspr-4.9.2-1.el6.x86_64
nss-sysinit-3.14.0.0-12.el6.x86_64
openldap-2.4.23-32.el6_4.1.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
openssh-server-5.3p1-84.1.el6.x86_64
nss-softokn-3.12.9-11.el6.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
389-ds-base-1.2.11.15-14.el6_4.x86_64
nss-util-3.14.0.0-2.el6.x86_64
nss-3.14.0.0-12.el6.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
nss-tools-3.14.0.0-12.el6.x86_64

Here is my encryption settings.

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
nsSSL3Ciphers: +all
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20130702171319Z
modifyTimestamp: 20130702171319Z
numSubordinates: 1

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: test-cert
nsSSLToken: internal (software)
nsSSLActivation: on


I installed everything via Yum and only added the encryption settings and "nsslapd-security: on" after going through the setup-ds script.

When I run openssl s_client -connect localhost:636 it connects fine with AES256-SHA


When I specify a cipher it fails the handshake.

root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher DHE-DSS-AES128-SHA

try adding -debug - let's see if s_client will tell us the list of ciphers the server says are available

CONNECTED(00000003)
139667370157896:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:674:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 58 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root@ldap01 ~]# 

I checked on the redhat site and DHE-DSS-AES128-SHA should be included (tls_dhe_dss_aes_128_sha).


-Darcy



I can see the 29 ciphers (didn't want to translete them all) that openssl is sending within the client hello message.

...
0080  cf 00 00 3a 00 39 00 38  00 88 00 87 00 35 00 84   ...:.9.8 .....5..
0090  00 16 00 13 00 0a 00 33  00 32 00 9a 00 99 00 45   .......3 .2.....E
00a0  00 44 00 2f 00 96 00 41  00 05 00 04 00 15 00 12   .D./...A ........
00b0  00 09 00 14 00 11 00 08  00 06 00 03 00 ff
...

But the server only sends back the one it has selected in the server hello message

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)


When I use the debug and force the cipher I get the following:

[root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher DHE-DSS-AES128-SHA -debug
CONNECTED(00000003)
write to 0x2023a30 [0x20c3990] (58 bytes => 58 (0x3A))
0000 - 16 03 01 00 35 01 00 00-31 03 01 51 e9 69 34 22   ....5...1..Q.i4"
0010 - 3d f2 28 38 66 ea 10 81-9f 3e e9 3a 43 39 b1 d8   =.(8f....>.:C9..
0020 - 27 7f af 5b 6e 6d ff b1-db 20 ae 00 00 04 00 32   '..[nm... .....2
0030 - 00 ff 01 00 00 04 00 23-                          .......#
003a - <SPACES/NULS>
read from 0x2023a30 [0x20c8ef0] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28                              ......(
139928132474696:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:674:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 58 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root@ldap01 ~]#  

Ok.  Please file a ticket at https://fedorahosted.org/389/newticket



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux