On Tue, Sep 17, 2019 at 5:54 PM Mark Reynolds <mreynolds@xxxxxxxxxx> wrote: > > > On 9/17/19 10:48 AM, Mihai Carabas wrote: > > After investigating, it seems that no cypersuite is available in > > NSS3.44, from the ones I have: > > > > [17/Sep/2019:17:17:51.043017973 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite rsa_null_md5 is not available > > in NSS 3.44. Ignoring rsa_null_md5 > > [17/Sep/2019:17:17:51.046184006 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite rsa_null_sha is not available > > in NSS 3.44. Ignoring rsa_null_sha > > [17/Sep/2019:17:17:51.049197624 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite rsa_rc4_128_md5 is not > > available in NSS 3.44. Ignoring rsa_rc4_128_md5 > > [17/Sep/2019:17:17:51.052249745 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite rsa_rc4_40_md5 is not > > available in NSS 3.44. Ignoring rsa_rc4_40_md5 > > [17/Sep/2019:17:17:51.055254561 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite rsa_rc2_40_md5 is not > > available in NSS 3.44. Ignoring rsa_rc2_40_md5 > > [17/Sep/2019:17:17:51.058247777 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite rsa_des_sha is not available > > in NSS 3.44. Ignoring rsa_des_sha > > [17/Sep/2019:17:17:51.061275196 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite rsa_fips_des_sha is not > > available in NSS 3.44. Ignoring rsa_fips_des_sha > > [17/Sep/2019:17:17:51.064327017 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite rsa_3des_sha is not available > > in NSS 3.44. Ignoring rsa_3des_sha > > [17/Sep/2019:17:17:51.067376038 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite rsa_fips_3des_sha is not > > available in NSS 3.44. Ignoring rsa_fips_3des_sha > > [17/Sep/2019:17:17:51.070412458 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite fortezza is not available in > > NSS 3.44. Ignoring fortezza > > [17/Sep/2019:17:17:51.073432076 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite fortezza_rc4_128_sha is not > > available in NSS 3.44. Ignoring fortezza_rc4_128_sha > > [17/Sep/2019:17:17:51.076475196 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite fortezza_null is not > > available in NSS 3.44. Ignoring fortezza_null > > [17/Sep/2019:17:17:51.079531618 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite > > tls_rsa_export1024_with_rc4_56_sha is not available in NSS 3.44. > > Ignoring tls_rsa_export1024_with_rc4_56_sha > > [17/Sep/2019:17:17:51.082648346 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite > > tls_rsa_export1024_with_des_cbc_sha is not available in NSS 3.44. > > Ignoring tls_rsa_export1024_with_des_cbc_sha > > [17/Sep/2019:17:17:51.085715470 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite tls_rsa_aes_128_sha is not > > available in NSS 3.44. Ignoring tls_rsa_aes_128_sha > > [17/Sep/2019:17:17:51.088832198 +0300] - WARN - Security > > Initialization - SSL alert: Cipher suite tls_rsa_aes_256_sha is not > > available in NSS 3.44. Ignoring tls_rsa_aes_256_sha > > [17/Sep/2019:17:17:51.092772913 +0300] - WARN - Security > > Initialization - SSL alert: Failed to set SSL cipher preference > > information: No active cipher suite is available. (Netscape Portable > > Runtime error 0 - no error) > > > > > > What other cyphers should I add? Is there a recommandtion? > > Use the NSS defaults by either removing "nsSSL3Ciphers" from > cn=encryption,cn=config, or setting it to "default". If you directly > edit dse.ldif then make sure the server is stopped first. If you use > ldapmodify then you need to restart the server for the change to take effect > Awesome. Thank you Mark! > HTH, > Mark > > > > > On Tue, Sep 17, 2019 at 5:42 PM William Brown <wbrown@xxxxxxx> wrote: > >> Hey there, > >> > >> Can you send us the access log of the connection attempt, as well as the command line options you used to make the connection? > >> > >> Thanks! > >> > >>> On 17 Sep 2019, at 16:40, Mihai Carabas <mihai.carabas@xxxxxxxxx> wrote: > >>> > >>> Hello, > >>> > >>> After upgrading to the latest 389ds (1.4.0.27) with FC29, I have the > >>> following issue on LDAPS: > >>> > >>> ldap_url_parse_ext(ldaps://ldap.curs.pub.ro) > >>> ldap_create > >>> ldap_url_parse_ext(ldaps://ldap.curs.pub.ro:636/??base) > >>> ldap_sasl_bind > >>> ldap_send_initial_request > >>> ldap_new_connection 1 1 0 > >>> ldap_int_open_connection > >>> ldap_connect_to_host: TCP ldap.curs.pub.ro:636 > >>> ldap_new_socket: 3 > >>> ldap_prepare_socket: 3 > >>> ldap_connect_to_host: Trying 141.85.241.48:636 > >>> ldap_pvt_connect: fd: 3 tm: -1 async: 0 > >>> attempting to connect: > >>> connect success > >>> TLS trace: SSL_connect:before SSL initialization > >>> tls_write: want=303, written=303 > >>> 0000: 16 03 01 01 2a 01 00 01 26 03 03 72 71 d6 83 08 ....*...&..rq... > >>> 0010: 7a 5f 26 69 2b f7 f7 4f 59 76 87 c0 07 bc 6c db z_&i+..OYv....l. > >>> 0020: fe 51 69 e4 2c dc 65 3d 52 48 f6 20 2b c1 75 d1 .Qi.,.e=RH. +.u. > >>> 0030: 98 3b dc 70 3e 69 82 a4 41 91 7f 89 0e fc 52 43 .;.p>i..A.....RC > >>> 0040: ab be c9 77 0b 02 a7 f1 9f ec a7 d0 00 48 13 02 ...w.........H.. > >>> 0050: 13 03 13 01 13 04 c0 2c c0 30 cc a9 cc a8 c0 ad .......,.0...... > >>> 0060: c0 2b c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 .+./...#.'...... > >>> 0070: c0 13 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 ...........=.<.5 > >>> 0080: 00 2f 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 ./...........k.g > >>> 0090: 00 39 00 33 00 ff 01 00 00 95 00 0b 00 04 03 00 .9.3............ > >>> 00a0: 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 ................ > >>> 00b0: 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d ...#............ > >>> 00c0: 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 .0.............. > >>> 00d0: 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 ................ > >>> 00e0: 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 ................ > >>> 00f0: 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 ...+............ > >>> 0100: 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 4c -.....3.&.$... L > >>> 0110: 3f b1 bc f8 d0 a1 54 e7 a2 6f d4 d4 d1 ab b3 77 ?.....T..o.....w > >>> 0120: 67 2c ea 51 94 f3 fa 43 de 96 5f 9b eb 12 10 g,.Q...C.._.... > >>> TLS trace: SSL_connect:SSLv3/TLS write client hello > >>> tls_read: want=5, got=5 > >>> 0000: 15 03 03 00 02 ..... > >>> tls_read: want=2, got=2 > >>> 0000: 02 50 .P > >>> TLS trace: SSL3 alert read:fatal:internal error > >>> TLS trace: SSL_connect:error in error > >>> TLS: can't connect: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 > >>> alert internal error. > >>> ldap_err2string > >>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > >>> > >>> All the things remained the same like before upgrading. I see tihs > >>> internal error and I could not find any hints about it. Did someone > >>> hit this issue? > >>> > >>> Thank you, > >>> Mihai Carabas > >>> _______________________________________________ > >>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > >>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > >> — > >> Sincerely, > >> > >> William Brown > >> > >> Senior Software Engineer, 389 Directory Server > >> SUSE Labs > >> _______________________________________________ > >> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > >> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > > _______________________________________________ > > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > > -- > > 389 Directory Server Development Team > _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
