#48194 nsSSL3Ciphers preference not enforced server side (regression)
Closed: Fixed None Opened 4 years ago by cviecco.

While trying to disable RC4 ciphers I came to notice that while nss default preferences seem to being set up correctly I can still connect to 389 using 'disabled' ciphers. This is on a fully patched Centos7 install with 389-ds-base-1.3.3.1-16.el7_1.x86_64.

Relevant Section of the dse config:
nsSSL3Ciphers: +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_25
6_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_CBC_
SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+T
LS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_
WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_C
BC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_NULL_MD5,-TLS_RSA_WITH_
RC4_128_MD5

As expected this results in disabling among others rc4 (this is the output of the log):
[09/Jun/2015:18:06:31 +0000] - SSL alert: Configured NSS Ciphers
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_RC4_128_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_RSA_FIPS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT_WITH_RC4_40_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_NULL_SHA256: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_NULL_MD5: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC4_128_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC2_128_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_DES_192_EDE3_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_DES_64_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC4_128_EXPORT40_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - 389-Directory/1.3.3.1 B2015.118.1941 starting up

However when connecting with ssl I succeed:
openssl s_client -connect localhost:636 -cipher RC4-SHA

.....

SSL handshake has read 5015 bytes and written 427 bytes

New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-SHA
Session-ID: 0D92E8D6919DFD52359B8C81938E221408124796BA2D7ADA05D351DCA83D02AB
Session-ID-ctx:
Master-Key: 6E48D87A2E185B7E0A0CCB324DE426F971C0AD3BA2041294E2DED0D0F6C11F6FE7D8FDE9A6E920E93C921C6E635135B7
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1433873485
Timeout : 300 (sec)
Verify return code: 0 (ok)


^C

and even nmap:
nmap --script ssl-enum-ciphers -p 636 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-09 18:08 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000026s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

The setting did worked in 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64 (centos 6.6).


Could you please run this search and attach the search result?
$ ldapsearch -x -D 'cn=directory manager' -W -b "cn=encryption,cn=config"

ldapsearch -x -D 'cn=directory manager' -W -b 'cn=encryption,cn=config' -Z
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=encryption,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# encryption, config
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
sslVersionMin: TLS1.0
nsSSL3: off
nsSSL3Ciphers: +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_
 128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_25
 6_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_CBC_
 SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+T
 LS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_
 WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_C
 BC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_NULL_MD5,-TLS_RSA_WITH_
 RC4_128_MD5
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD:
 :128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::1
 28
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::1
 28
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::
 128
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::
 128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::
 256
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::
 256
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nsSSLSupportedCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nsSSLSupportedCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256
nsSSLSupportedCiphers: TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128
nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128
nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0
nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_MD5::NULL::MD5::0
nsSSLSupportedCiphers: SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128
nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128
nsSSLSupportedCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192
nsSSLSupportedCiphers: SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64
nsSSLSupportedCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128
nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nssslenabledciphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nsSSL2: off
nsTLS1: on
sslVersionMax: TLS1.2

# RSA, encryption, config
dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: SERVERNAME
nsSSLToken: internal (software)
nsSSLActivation: on

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2

Thank you for reviewing the patch, Rich!

Pushed to master:
70fa356..53c9c4e master -> master
commit 53c9c4e

Pushed to 389-ds-base-1.3.3:
18f3e3a..99109e3 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 99109e3

Ticket #48194 - CI test: fixing test cases for ticket 48194

Description: nsSSL3Ciphers preference not enforced server side
. Test Case 6 - wrong expectation for RC4-SHA
. Test Case 7 - removing a extra space in nsSSL3Ciphers

Pushed to master:
d1b0acd..f69ce33 master -> master
commit f69ce33

Pushed to 389-ds-base-1.3.4:
4f3b802..ca9e6f9 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit ca9e6f9

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.3.12

2 years ago

Login to comment on this ticket.

Metadata