#47908 389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server
Closed: Fixed None Opened 5 years ago by nhosoi.

Original summary:
389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server: "Cipher suite fortezza is not available in NSS 3.17" , "Cannot communicate securely with peer: no common encryption algorithm(s)."

Fails to enable SSL with this user specified cipher list.
nsSSL3Ciphers: -rsa_null_md5,+rsa_fips_3des_sha,+rsa_fips_des_sha,+rsa_3des_sh
a,+rsa_rc4_128_md5,+rsa_des_sha,+rsa_rc2_40_md5,+rsa_rc4_40_md5,+fortezza


Note: the test cipher list is all weak (except fortezza, which is not available).

If "allowWeakCipher: on" (default; unless allowWeakCipher is set, it is "on" for the user specified ciphers), the server starts with the warnings (for each cipher name):
{{{
[..] - SSL alert: Cipher rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server.
}}}
and one for "fortezza":
{{{
[..] - SSL alert: Cipher suite fortezza is not available in NSS 3.17. Ignoring fortezza
}}}
But if "allowWeakCipher: off", SSL is disabled and the server starts without listening on the secure port.
{{{
[..] - SSL alert: Security Initialization: Failed to set SSL cipher preference information: No active cipher suite is available. (Netscape Portable Runtime error 0 - no error)
[..] - ERROR: SSL Initialization Failed. Disabling SSL.
}}}

Reviewed by Rich (Thank you!!)

Pushed to master:
685607f..83a6ceb master -> master
commit 83a6ceb

Pushed to 389-ds-base-1.3.3:
906106b..4e34740 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 4e34740

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.3 - 9/14 (September)

2 years ago

Login to comment on this ticket.

Metadata