Re: 389ds ldaps issue after upgrade

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



After investigating, it seems that no cypersuite is available in
NSS3.44, from the ones I have:

[17/Sep/2019:17:17:51.043017973 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_null_md5 is not available
in NSS 3.44.  Ignoring rsa_null_md5
[17/Sep/2019:17:17:51.046184006 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_null_sha is not available
in NSS 3.44.  Ignoring rsa_null_sha
[17/Sep/2019:17:17:51.049197624 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_rc4_128_md5 is not
available in NSS 3.44.  Ignoring rsa_rc4_128_md5
[17/Sep/2019:17:17:51.052249745 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_rc4_40_md5 is not
available in NSS 3.44.  Ignoring rsa_rc4_40_md5
[17/Sep/2019:17:17:51.055254561 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_rc2_40_md5 is not
available in NSS 3.44.  Ignoring rsa_rc2_40_md5
[17/Sep/2019:17:17:51.058247777 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_des_sha is not available
in NSS 3.44.  Ignoring rsa_des_sha
[17/Sep/2019:17:17:51.061275196 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_fips_des_sha is not
available in NSS 3.44.  Ignoring rsa_fips_des_sha
[17/Sep/2019:17:17:51.064327017 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_3des_sha is not available
in NSS 3.44.  Ignoring rsa_3des_sha
[17/Sep/2019:17:17:51.067376038 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_fips_3des_sha is not
available in NSS 3.44.  Ignoring rsa_fips_3des_sha
[17/Sep/2019:17:17:51.070412458 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite fortezza is not available in
NSS 3.44.  Ignoring fortezza
[17/Sep/2019:17:17:51.073432076 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite fortezza_rc4_128_sha is not
available in NSS 3.44.  Ignoring fortezza_rc4_128_sha
[17/Sep/2019:17:17:51.076475196 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite fortezza_null is not
available in NSS 3.44.  Ignoring fortezza_null
[17/Sep/2019:17:17:51.079531618 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite
tls_rsa_export1024_with_rc4_56_sha is not available in NSS 3.44.
Ignoring tls_rsa_export1024_with_rc4_56_sha
[17/Sep/2019:17:17:51.082648346 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite
tls_rsa_export1024_with_des_cbc_sha is not available in NSS 3.44.
Ignoring tls_rsa_export1024_with_des_cbc_sha
[17/Sep/2019:17:17:51.085715470 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite tls_rsa_aes_128_sha is not
available in NSS 3.44.  Ignoring tls_rsa_aes_128_sha
[17/Sep/2019:17:17:51.088832198 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite tls_rsa_aes_256_sha is not
available in NSS 3.44.  Ignoring tls_rsa_aes_256_sha
[17/Sep/2019:17:17:51.092772913 +0300] - WARN - Security
Initialization - SSL alert: Failed to set SSL cipher preference
information: No active cipher suite is available. (Netscape Portable
Runtime error 0 - no error)


What other cyphers should I add? Is there a recommandtion?

On Tue, Sep 17, 2019 at 5:42 PM William Brown <wbrown@xxxxxxx> wrote:
>
> Hey there,
>
> Can you send us the access log of the connection attempt, as well as the command line options you used to make the connection?
>
> Thanks!
>
> > On 17 Sep 2019, at 16:40, Mihai Carabas <mihai.carabas@xxxxxxxxx> wrote:
> >
> > Hello,
> >
> > After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the
> > following issue on LDAPS:
> >
> > ldap_url_parse_ext(ldaps://ldap.curs.pub.ro)
> > ldap_create
> > ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base)
> > ldap_sasl_bind
> > ldap_send_initial_request
> > ldap_new_connection 1 1 0
> > ldap_int_open_connection
> > ldap_connect_to_host: TCP ldap.curs.pub.ro:636
> > ldap_new_socket: 3
> > ldap_prepare_socket: 3
> > ldap_connect_to_host: Trying 141.85.241.48:636
> > ldap_pvt_connect: fd: 3 tm: -1 async: 0
> > attempting to connect:
> > connect success
> > TLS trace: SSL_connect:before SSL initialization
> > tls_write: want=303, written=303
> >  0000:  16 03 01 01 2a 01 00 01  26 03 03 72 71 d6 83 08   ....*...&..rq...
> >  0010:  7a 5f 26 69 2b f7 f7 4f  59 76 87 c0 07 bc 6c db   z_&i+..OYv....l.
> >  0020:  fe 51 69 e4 2c dc 65 3d  52 48 f6 20 2b c1 75 d1   .Qi.,.e=RH. +.u.
> >  0030:  98 3b dc 70 3e 69 82 a4  41 91 7f 89 0e fc 52 43   .;.p>i..A.....RC
> >  0040:  ab be c9 77 0b 02 a7 f1  9f ec a7 d0 00 48 13 02   ...w.........H..
> >  0050:  13 03 13 01 13 04 c0 2c  c0 30 cc a9 cc a8 c0 ad   .......,.0......
> >  0060:  c0 2b c0 2f c0 ac c0 23  c0 27 c0 0a c0 14 c0 09   .+./...#.'......
> >  0070:  c0 13 00 9d c0 9d 00 9c  c0 9c 00 3d 00 3c 00 35   ...........=.<.5
> >  0080:  00 2f 00 9f cc aa c0 9f  00 9e c0 9e 00 6b 00 67   ./...........k.g
> >  0090:  00 39 00 33 00 ff 01 00  00 95 00 0b 00 04 03 00   .9.3............
> >  00a0:  01 02 00 0a 00 0c 00 0a  00 1d 00 17 00 1e 00 19   ................
> >  00b0:  00 18 00 23 00 00 00 16  00 00 00 17 00 00 00 0d   ...#............
> >  00c0:  00 30 00 2e 04 03 05 03  06 03 08 07 08 08 08 09   .0..............
> >  00d0:  08 0a 08 0b 08 04 08 05  08 06 04 01 05 01 06 01   ................
> >  00e0:  03 03 02 03 03 01 02 01  03 02 02 02 04 02 05 02   ................
> >  00f0:  06 02 00 2b 00 09 08 03  04 03 03 03 02 03 01 00   ...+............
> >  0100:  2d 00 02 01 01 00 33 00  26 00 24 00 1d 00 20 4c   -.....3.&.$... L
> >  0110:  3f b1 bc f8 d0 a1 54 e7  a2 6f d4 d4 d1 ab b3 77   ?.....T..o.....w
> >  0120:  67 2c ea 51 94 f3 fa 43  de 96 5f 9b eb 12 10      g,.Q...C.._....
> > TLS trace: SSL_connect:SSLv3/TLS write client hello
> > tls_read: want=5, got=5
> >  0000:  15 03 03 00 02                                     .....
> > tls_read: want=2, got=2
> >  0000:  02 50                                              .P
> > TLS trace: SSL3 alert read:fatal:internal error
> > TLS trace: SSL_connect:error in error
> > TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1
> > alert internal error.
> > ldap_err2string
> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> >
> > All the things remained the same like before upgrading. I see tihs
> > internal error and I could not find any hints about it. Did someone
> > hit this issue?
> >
> > Thank you,
> > Mihai Carabas
> > _______________________________________________
> > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
>
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux