After investigating, it seems that no cypersuite is available in NSS3.44, from the ones I have: [17/Sep/2019:17:17:51.043017973 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_null_md5 is not available in NSS 3.44. Ignoring rsa_null_md5 [17/Sep/2019:17:17:51.046184006 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_null_sha is not available in NSS 3.44. Ignoring rsa_null_sha [17/Sep/2019:17:17:51.049197624 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc4_128_md5 is not available in NSS 3.44. Ignoring rsa_rc4_128_md5 [17/Sep/2019:17:17:51.052249745 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc4_40_md5 is not available in NSS 3.44. Ignoring rsa_rc4_40_md5 [17/Sep/2019:17:17:51.055254561 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_rc2_40_md5 is not available in NSS 3.44. Ignoring rsa_rc2_40_md5 [17/Sep/2019:17:17:51.058247777 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_des_sha is not available in NSS 3.44. Ignoring rsa_des_sha [17/Sep/2019:17:17:51.061275196 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_fips_des_sha is not available in NSS 3.44. Ignoring rsa_fips_des_sha [17/Sep/2019:17:17:51.064327017 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_3des_sha is not available in NSS 3.44. Ignoring rsa_3des_sha [17/Sep/2019:17:17:51.067376038 +0300] - WARN - Security Initialization - SSL alert: Cipher suite rsa_fips_3des_sha is not available in NSS 3.44. Ignoring rsa_fips_3des_sha [17/Sep/2019:17:17:51.070412458 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza is not available in NSS 3.44. Ignoring fortezza [17/Sep/2019:17:17:51.073432076 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.44. Ignoring fortezza_rc4_128_sha [17/Sep/2019:17:17:51.076475196 +0300] - WARN - Security Initialization - SSL alert: Cipher suite fortezza_null is not available in NSS 3.44. Ignoring fortezza_null [17/Sep/2019:17:17:51.079531618 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_export1024_with_rc4_56_sha is not available in NSS 3.44. Ignoring tls_rsa_export1024_with_rc4_56_sha [17/Sep/2019:17:17:51.082648346 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_export1024_with_des_cbc_sha is not available in NSS 3.44. Ignoring tls_rsa_export1024_with_des_cbc_sha [17/Sep/2019:17:17:51.085715470 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_aes_128_sha is not available in NSS 3.44. Ignoring tls_rsa_aes_128_sha [17/Sep/2019:17:17:51.088832198 +0300] - WARN - Security Initialization - SSL alert: Cipher suite tls_rsa_aes_256_sha is not available in NSS 3.44. Ignoring tls_rsa_aes_256_sha [17/Sep/2019:17:17:51.092772913 +0300] - WARN - Security Initialization - SSL alert: Failed to set SSL cipher preference information: No active cipher suite is available. (Netscape Portable Runtime error 0 - no error) What other cyphers should I add? Is there a recommandtion? On Tue, Sep 17, 2019 at 5:42 PM William Brown <wbrown@xxxxxxx> wrote: > > Hey there, > > Can you send us the access log of the connection attempt, as well as the command line options you used to make the connection? > > Thanks! > > > On 17 Sep 2019, at 16:40, Mihai Carabas <mihai.carabas@xxxxxxxxx> wrote: > > > > Hello, > > > > After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the > > following issue on LDAPS: > > > > ldap_url_parse_ext(ldaps://ldap.curs.pub.ro) > > ldap_create > > ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base) > > ldap_sasl_bind > > ldap_send_initial_request > > ldap_new_connection 1 1 0 > > ldap_int_open_connection > > ldap_connect_to_host: TCP ldap.curs.pub.ro:636 > > ldap_new_socket: 3 > > ldap_prepare_socket: 3 > > ldap_connect_to_host: Trying 141.85.241.48:636 > > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > > attempting to connect: > > connect success > > TLS trace: SSL_connect:before SSL initialization > > tls_write: want=303, written=303 > > 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq... > > 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l. > > 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u. > > 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC > > 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H.. > > 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0...... > > 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'...... > > 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5 > > 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g > > 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............ > > 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................ > > 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............ > > 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0.............. > > 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................ > > 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................ > > 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............ > > 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L > > 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w > > 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._.... > > TLS trace: SSL_connect:SSLv3/TLS write client hello > > tls_read: want=5, got=5 > > 0000: 15 03 03 00 02 ..... > > tls_read: want=2, got=2 > > 0000: 02 50 .P > > TLS trace: SSL3 alert read:fatal:internal error > > TLS trace: SSL_connect:error in error > > TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 > > alert internal error. > > ldap_err2string > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > > All the things remained the same like before upgrading. I see tihs > > internal error and I could not find any hints about it. Did someone > > hit this issue? > > > > Thank you, > > Mihai Carabas > > _______________________________________________ > > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
