#48194 nsSSL3Ciphers preference not enforced server side (regression)
Closed: wontfix None Opened 5 years ago by cviecco.

While trying to disable RC4 ciphers I came to notice that while nss default preferences seem to being set up correctly I can still connect to 389 using 'disabled' ciphers. This is on a fully patched Centos7 install with 389-ds-base-1.3.3.1-16.el7_1.x86_64.

Relevant Section of the dse config:
nsSSL3Ciphers: +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_25
6_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_CBC_
SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+T
LS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_
WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_C
BC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_NULL_MD5,-TLS_RSA_WITH_
RC4_128_MD5

As expected this results in disabling among others rc4 (this is the output of the log):
[09/Jun/2015:18:06:31 +0000] - SSL alert: Configured NSS Ciphers
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_RC4_128_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_RSA_FIPS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT_WITH_RC4_40_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_NULL_SHA256: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_NULL_MD5: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC4_128_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC2_128_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_DES_192_EDE3_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_DES_64_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC4_128_EXPORT40_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - 389-Directory/1.3.3.1 B2015.118.1941 starting up

However when connecting with ssl I succeed:
openssl s_client -connect localhost:636 -cipher RC4-SHA

.....

SSL handshake has read 5015 bytes and written 427 bytes

New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-SHA
Session-ID: 0D92E8D6919DFD52359B8C81938E221408124796BA2D7ADA05D351DCA83D02AB
Session-ID-ctx:
Master-Key: 6E48D87A2E185B7E0A0CCB324DE426F971C0AD3BA2041294E2DED0D0F6C11F6FE7D8FDE9A6E920E93C921C6E635135B7
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1433873485
Timeout : 300 (sec)
Verify return code: 0 (ok)


^C

and even nmap:
nmap --script ssl-enum-ciphers -p 636 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-09 18:08 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000026s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

The setting did worked in 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64 (centos 6.6).


Could you please run this search and attach the search result?
$ ldapsearch -x -D 'cn=directory manager' -W -b "cn=encryption,cn=config"

ldapsearch -x -D 'cn=directory manager' -W -b 'cn=encryption,cn=config' -Z
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=encryption,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# encryption, config
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
sslVersionMin: TLS1.0
nsSSL3: off
nsSSL3Ciphers: +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_
 128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_25
 6_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_CBC_
 SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+T
 LS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_
 WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_C
 BC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_NULL_MD5,-TLS_RSA_WITH_
 RC4_128_MD5
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD:
 :128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::1
 28
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::1
 28
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::
 128
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::
 128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::
 256
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::
 256
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nsSSLSupportedCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nsSSLSupportedCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256
nsSSLSupportedCiphers: TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128
nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128
nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0
nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_MD5::NULL::MD5::0
nsSSLSupportedCiphers: SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128
nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128
nsSSLSupportedCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192
nsSSLSupportedCiphers: SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64
nsSSLSupportedCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128
nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nssslenabledciphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nsSSL2: off
nsTLS1: on
sslVersionMax: TLS1.2

# RSA, encryption, config
dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: SERVERNAME
nsSSLToken: internal (software)
nsSSLActivation: on

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2

Thank you for reviewing the patch, Rich!

Pushed to master:
70fa356..53c9c4e master -> master
commit 53c9c4e

Pushed to 389-ds-base-1.3.3:
18f3e3a..99109e3 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 99109e3

Ticket #48194 - CI test: fixing test cases for ticket 48194

Description: nsSSL3Ciphers preference not enforced server side
. Test Case 6 - wrong expectation for RC4-SHA
. Test Case 7 - removing a extra space in nsSSL3Ciphers

Pushed to master:
d1b0acd..f69ce33 master -> master
commit f69ce33

Pushed to 389-ds-base-1.3.4:
4f3b802..ca9e6f9 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit ca9e6f9

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.3.12

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1525

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

6 days ago

Login to comment on this ticket.

Metadata