389-ds 184.108.40.206 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server: "Cipher suite fortezza is not available in NSS 3.17" , "Cannot communicate securely with peer: no common encryption algorithm(s)."
Fails to enable SSL with this user specified cipher list.
git patch file (master)
Note: the test cipher list is all weak (except fortezza, which is not available).
If "allowWeakCipher: on" (default; unless allowWeakCipher is set, it is "on" for the user specified ciphers), the server starts with the warnings (for each cipher name):
[..] - SSL alert: Cipher rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server.
and one for "fortezza":
[..] - SSL alert: Cipher suite fortezza is not available in NSS 3.17. Ignoring fortezza
But if "allowWeakCipher: off", SSL is disabled and the server starts without listening on the secure port.
[..] - SSL alert: Security Initialization: Failed to set SSL cipher preference information: No active cipher suite is available. (Netscape Portable Runtime error 0 - no error)
[..] - ERROR: SSL Initialization Failed. Disabling SSL.
Reviewed by Rich (Thank you!!)
Pushed to master:
685607f..83a6ceb master -> master
Pushed to 389-ds-base-1.3.3:
906106b..4e34740 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.3 - 9/14 (September)
to comment on this ticket.