Re: Fwd: Some cipher suites not working

[Darcy Hodgson <darcy@xxxxxxxxxxxxxxxx>]

Will do. Thanks.

On Fri, Jul 19, 2013 at 12:45 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 07/19/2013 10:43 AM, Darcy Hodgson wrote:

On Fri, Jul 19, 2013 at 11:37 AM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 07/19/2013 08:38 AM, Darcy Hodgson wrote:

On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 07/19/2013 06:43 AM, Darcy Hodgson wrote:

Hello,

I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have been able to get it working and can connect with LDAPS. However when I started to disabled some of the ciphers I noticed that my server wasn't accepting any of the DHE ciphers. I enabled all the ciphers with +all and used sslmap to confirm that the server was only choosing RSA.

I checked the logs and the only thing they say is "Cannot communicate securely with peer: no common encryption algorithm(s)."

Any help getting the DHE ciphers to work or pointing me to some documentation would be appreciated.

Can you please provide the exact steps to reproduce the issue?  Please include the versions of the nspr, nss, openldap, and 389-ds-base packages.
Have you tried openssl s_client?

Thanks,

Darcy

 Here is the requested software installed.

openssh-5.3p1-84.1.el6.x86_64

389-ds-base-libs-1.2.11.15-14.el6_4.x86_64

openssh-clients-5.3p1-84.1.el6.x86_64

nspr-4.9.2-1.el6.x86_64

nss-sysinit-3.14.0.0-12.el6.x86_64

openldap-2.4.23-32.el6_4.1.x86_64

nss-softokn-freebl-3.12.9-11.el6.x86_64

openssh-server-5.3p1-84.1.el6.x86_64

nss-softokn-3.12.9-11.el6.x86_64

openldap-clients-2.4.23-32.el6_4.1.x86_64

389-ds-base-1.2.11.15-14.el6_4.x86_64

nss-util-3.14.0.0-2.el6.x86_64

nss-3.14.0.0-12.el6.x86_64

openssl-1.0.0-27.el6_4.2.x86_64

nss-tools-3.14.0.0-12.el6.x86_64

Here is my encryption settings.

dn: cn=encryption,cn=config

objectClass: top

objectClass: nsEncryptionConfig

cn: encryption

nsSSLSessionTimeout: 0

nsSSLClientAuth: allowed

nsSSL2: off

nsSSL3: off

nsSSL3Ciphers: +all

creatorsName: cn=server,cn=plugins,cn=config

modifiersName: cn=server,cn=plugins,cn=config

createTimestamp: 20130702171319Z

modifyTimestamp: 20130702171319Z

numSubordinates: 1

dn: cn=RSA,cn=encryption,cn=config

changetype: add

objectclass: top

objectclass: nsEncryptionModule

cn: RSA

nsSSLPersonalitySSL: test-cert

nsSSLToken: internal (software)

nsSSLActivation: on

I installed everything via Yum and only added the encryption settings and "nsslapd-security: on" after going through the setup-ds script.

When I run openssl s_client -connect localhost:636 it connects fine with AES256-SHA

When I specify a cipher it fails the handshake.

root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher DHE-DSS-AES128-SHA

try adding -debug - let's see if s_client will tell us the list of ciphers the server says are available

CONNECTED(00000003)

139667370157896:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:674:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 58 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

[root@ldap01 ~]# 

I checked on the redhat site and DHE-DSS-AES128-SHA should be included (tls_dhe_dss_aes_128_sha).

-Darcy

I can see the 29 ciphers (didn't want to translete them all) that openssl is sending within the client hello message.

...

0080  cf 00 00 3a 00 39 00 38  00 88 00 87 00 35 00 84   ...:.9.8 .....5..

0090  00 16 00 13 00 0a 00 33  00 32 00 9a 00 99 00 45   .......3 .2.....E

00a0  00 44 00 2f 00 96 00 41  00 05 00 04 00 15 00 12   .D./...A ........

00b0  00 09 00 14 00 11 00 08  00 06 00 03 00 ff

...

But the server only sends back the one it has selected in the server hello message

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

When I use the debug and force the cipher I get the following:

[root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher DHE-DSS-AES128-SHA -debug

CONNECTED(00000003)

write to 0x2023a30 [0x20c3990] (58 bytes => 58 (0x3A))

0000 - 16 03 01 00 35 01 00 00-31 03 01 51 e9 69 34 22   ....5...1..Q.i4"

0010 - 3d f2 28 38 66 ea 10 81-9f 3e e9 3a 43 39 b1 d8   =.(8f....>.:C9..

0020 - 27 7f af 5b 6e 6d ff b1-db 20 ae 00 00 04 00 32   '..[nm... .....2

0030 - 00 ff 01 00 00 04 00 23-                          .......#

003a - <SPACES/NULS>

read from 0x2023a30 [0x20c8ef0] (7 bytes => 7 (0x7))

0000 - 15 03 01 00 02 02 28                              ......(

139928132474696:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:674:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 58 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

[root@ldap01 ~]#  

Ok.  Please file a ticket at https://fedorahosted.org/389/newticket

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users