389-ds 22.214.171.124 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server: "Cipher suite fortezza is not available in NSS 3.17" , "Cannot communicate securely with peer: no common encryption algorithm(s)."
Fails to enable SSL with this user specified cipher list.
git patch file (master)
Note: the test cipher list is all weak (except fortezza, which is not available).
If "allowWeakCipher: on" (default; unless allowWeakCipher is set, it is "on" for the user specified ciphers), the server starts with the warnings (for each cipher name):
[..] - SSL alert: Cipher rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server.
and one for "fortezza":
[..] - SSL alert: Cipher suite fortezza is not available in NSS 3.17. Ignoring fortezza
But if "allowWeakCipher: off", SSL is disabled and the server starts without listening on the secure port.
[..] - SSL alert: Security Initialization: Failed to set SSL cipher preference information: No active cipher suite is available. (Netscape Portable Runtime error 0 - no error)
[..] - ERROR: SSL Initialization Failed. Disabling SSL.
Reviewed by Rich (Thank you!!)
Pushed to master:
685607f..83a6ceb master -> master
Pushed to 389-ds-base-1.3.3:
906106b..4e34740 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.3 - 9/14 (September)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)
to comment on this ticket.