#47908 389-ds does not adjust cipher suite configuration on upgrade, breaks itself and pki-server
Closed: wontfix None Opened 9 years ago by nhosoi.

Original summary:
389-ds does not adjust cipher suite configuration on upgrade, breaks itself and pki-server: "Cipher suite fortezza is not available in NSS 3.17" , "Cannot communicate securely with peer: no common encryption algorithm(s)."

Fails to enable SSL with this user specified cipher list.
nsSSL3Ciphers: -rsa_null_md5,+rsa_fips_3des_sha,+rsa_fips_des_sha,+rsa_3des_sh

Note: the test cipher list is all weak (except fortezza, which is not available).

If "allowWeakCipher: on" (default; unless allowWeakCipher is set, it is "on" for the user specified ciphers), the server starts with the warnings (for each cipher name):
[..] - SSL alert: Cipher rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server.
and one for "fortezza":
[..] - SSL alert: Cipher suite fortezza is not available in NSS 3.17. Ignoring fortezza
But if "allowWeakCipher: off", SSL is disabled and the server starts without listening on the secure port.
[..] - SSL alert: Security Initialization: Failed to set SSL cipher preference information: No active cipher suite is available. (Netscape Portable Runtime error 0 - no error)
[..] - ERROR: SSL Initialization Failed. Disabling SSL.

Reviewed by Rich (Thank you!!)

Pushed to master:
685607f..83a6ceb master -> master
commit 83a6ceb

Pushed to 389-ds-base-1.3.3:
906106b..4e34740 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 4e34740

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.3 - 9/14 (September)

6 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1239

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Login to comment on this ticket.