On 9/17/19 10:48 AM, Mihai Carabas wrote:
After investigating, it seems that no cypersuite is available in
NSS3.44, from the ones I have:
[17/Sep/2019:17:17:51.043017973 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_null_md5 is not available
in NSS 3.44. Ignoring rsa_null_md5
[17/Sep/2019:17:17:51.046184006 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_null_sha is not available
in NSS 3.44. Ignoring rsa_null_sha
[17/Sep/2019:17:17:51.049197624 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_rc4_128_md5 is not
available in NSS 3.44. Ignoring rsa_rc4_128_md5
[17/Sep/2019:17:17:51.052249745 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_rc4_40_md5 is not
available in NSS 3.44. Ignoring rsa_rc4_40_md5
[17/Sep/2019:17:17:51.055254561 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_rc2_40_md5 is not
available in NSS 3.44. Ignoring rsa_rc2_40_md5
[17/Sep/2019:17:17:51.058247777 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_des_sha is not available
in NSS 3.44. Ignoring rsa_des_sha
[17/Sep/2019:17:17:51.061275196 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_fips_des_sha is not
available in NSS 3.44. Ignoring rsa_fips_des_sha
[17/Sep/2019:17:17:51.064327017 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_3des_sha is not available
in NSS 3.44. Ignoring rsa_3des_sha
[17/Sep/2019:17:17:51.067376038 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite rsa_fips_3des_sha is not
available in NSS 3.44. Ignoring rsa_fips_3des_sha
[17/Sep/2019:17:17:51.070412458 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite fortezza is not available in
NSS 3.44. Ignoring fortezza
[17/Sep/2019:17:17:51.073432076 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite fortezza_rc4_128_sha is not
available in NSS 3.44. Ignoring fortezza_rc4_128_sha
[17/Sep/2019:17:17:51.076475196 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite fortezza_null is not
available in NSS 3.44. Ignoring fortezza_null
[17/Sep/2019:17:17:51.079531618 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite
tls_rsa_export1024_with_rc4_56_sha is not available in NSS 3.44.
Ignoring tls_rsa_export1024_with_rc4_56_sha
[17/Sep/2019:17:17:51.082648346 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite
tls_rsa_export1024_with_des_cbc_sha is not available in NSS 3.44.
Ignoring tls_rsa_export1024_with_des_cbc_sha
[17/Sep/2019:17:17:51.085715470 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite tls_rsa_aes_128_sha is not
available in NSS 3.44. Ignoring tls_rsa_aes_128_sha
[17/Sep/2019:17:17:51.088832198 +0300] - WARN - Security
Initialization - SSL alert: Cipher suite tls_rsa_aes_256_sha is not
available in NSS 3.44. Ignoring tls_rsa_aes_256_sha
[17/Sep/2019:17:17:51.092772913 +0300] - WARN - Security
Initialization - SSL alert: Failed to set SSL cipher preference
information: No active cipher suite is available. (Netscape Portable
Runtime error 0 - no error)
What other cyphers should I add? Is there a recommandtion?
Use the NSS defaults by either removing "nsSSL3Ciphers" from
cn=encryption,cn=config, or setting it to "default". If you directly
edit dse.ldif then make sure the server is stopped first. If you use
ldapmodify then you need to restart the server for the change to take effect
HTH,
Mark
On Tue, Sep 17, 2019 at 5:42 PM William Brown <wbrown@xxxxxxx> wrote:
Hey there,
Can you send us the access log of the connection attempt, as well as the command line options you used to make the connection?
Thanks!
On 17 Sep 2019, at 16:40, Mihai Carabas <mihai.carabas@xxxxxxxxx> wrote:
Hello,
After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the
following issue on LDAPS:
ldap_url_parse_ext(ldaps://ldap.curs.pub.ro)
ldap_create
ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.curs.pub.ro:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 141.85.241.48:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
tls_write: want=303, written=303
0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq...
0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l.
0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u.
0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC
0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H..
0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0......
0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'......
0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5
0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g
0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............
00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................
00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............
00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0..............
00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................
00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................
00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............
0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L
0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w
0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._....
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=5
0000: 15 03 03 00 02 .....
tls_read: want=2, got=2
0000: 02 50 .P
TLS trace: SSL3 alert read:fatal:internal error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1
alert internal error.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
All the things remained the same like before upgrading. I see tihs
internal error and I could not find any hints about it. Did someone
hit this issue?
Thank you,
Mihai Carabas
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
