> It looks like it just a client connection that is using AES GCM, it
> hasn't got to process the ldap request yet. I think that the following
> should work:
>
> openssl s_client -connect LDAPHOSTNAME:636 -cipher ECDHE-RSA-AES256-
> GCM-SHA384
>
> Should be able to reproduce it. Else, you can wait patiently for the
> crash to happen again.
>
> Perhaps try unsetting the variables Noriko mentioned, test that the
> openssl command does indeed cause a crash, then re-apply the
> environment variables to see if that prevents it?
>
Hello,
when I try to connect from Centos7 machine to the ldap server and
there is no NSS export in the dirsrv file, it crashes. I am not using
the cipher option in this case.:
$ openssl version; rpm -qa openssl
OpenSSL 1.0.1e-fips 11 Feb 2013
openssl-1.0.1e-51.el7_2.2.x86_64
$ openssl s_client -connect ldap:636
CONNECTED(00000003)
depth=1 DC = X, CN = CA cert
verify error:num=19:self signed certificate in certificate chain
verify return:0
140122355623840:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:
---
Certificate chain
0 s:/CN=ds1
i:/DC=X/CN=CA cert
1 s:/DC=X/CN=CA cert
i:/DC=X/CN=CA cert
---
Server certificate
-----BEGIN CERTIFICATE-----
ZZZ
-----END CERTIFICATE-----
subject=/CN=ds1
issuer=/DC=X/CN=CA cert
---
Acceptable client certificate CA names
/DC=X/CN=CA cert
/DC=X/CN=DS2 CA cert
---
SSL handshake has read 1360 bytes and written 202 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-GCM-SHA256
Session-ID: 464F740F8FAF113738A1AF18487D382AA5C7B9DA202FD7ADA644A75FD63BC291
Session-ID-ctx:
Master-Key: ZZZ
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1453966206
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Same happens from Fedora23 and Centos6
F23:
$ openssl version;rpm -qa openssl
OpenSSL 1.0.2e-fips 3 Dec 2015
openssl-1.0.2e-3.fc23.x86_64
C6:
$ openssl version; rpm -qa openssl
OpenSSL 1.0.1e-fips 11 Feb 2013
openssl-1.0.1e-30.el6_6.5.x86_64
>From Centos5 is OK:
$ openssl version;rpm -qa openssl
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
openssl-0.9.8e-32.el5_11
with "export NSS_DISABLE_HW_GCM=1", there are no crashes, with and
without the cipher option. Moreover, with the cipher option it says:
CONNECTED(00000003)
139960478934944:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:744:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 119 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
With "export NSS_DISABLE_HW_AES=1" there are no crashes.
I have a secondary LDAP server, who has the following software versions:
389-admin-1.1.35-1.el6.x86_64
389-adminutil-1.1.19-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-1.2.11.15-48.el6_6.x86_64
389-ds-base-libs-1.2.11.15-48.el6_6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
nss-3.16.2.3-3.el6_6.x86_64
It was OK with all the stuff I was throwing on it.
After the update to the following versions:
389-admin-1.1.35-1.el6.x86_64
389-adminutil-1.1.19-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-console-1.1.7-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
nss-3.19.1-8.el6_7.x86_64
it started crashing.
Many thanks for your help
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
