While trying to disable RC4 ciphers I came to notice that while nss default preferences seem to being set up correctly I can still connect to 389 using 'disabled' ciphers. This is on a fully patched Centos7 install with 389-ds-base-1.3.3.1-16.el7_1.x86_64.
Relevant Section of the dse config: nsSSL3Ciphers: +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_ 128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_25 6_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_CBC_ SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+T LS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_ WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_C BC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_NULL_MD5,-TLS_RSA_WITH_ RC4_128_MD5
As expected this results in disabling among others rc4 (this is the output of the log): [09/Jun/2015:18:06:31 +0000] - SSL alert: Configured NSS Ciphers [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_RC4_128_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: disabled [09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_RC4_128_MD5: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_RSA_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_DHE_DSS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_RSA_FIPS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT_WITH_RC4_40_MD5: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDHE_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_NULL_SHA256: disabled, (MUST BE DISABLED) [09/Jun/2015:18:06:31 +0000] - SSL alert: TLS_RSA_WITH_NULL_MD5: disabled, (MUST BE DISABLED) [09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC4_128_WITH_MD5: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC2_128_CBC_WITH_MD5: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_DES_192_EDE3_CBC_WITH_MD5: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_DES_64_CBC_WITH_MD5: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC4_128_EXPORT40_WITH_MD5: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - SSL alert: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5: disabled, (WEAK CIPHER) [09/Jun/2015:18:06:31 +0000] - 389-Directory/1.3.3.1 B2015.118.1941 starting up
However when connecting with ssl I succeed: openssl s_client -connect localhost:636 -cipher RC4-SHA
New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : RC4-SHA Session-ID: 0D92E8D6919DFD52359B8C81938E221408124796BA2D7ADA05D351DCA83D02AB Session-ID-ctx: Master-Key: 6E48D87A2E185B7E0A0CCB324DE426F971C0AD3BA2041294E2DED0D0F6C11F6FE7D8FDE9A6E920E93C921C6E635135B7 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1433873485 Timeout : 300 (sec) Verify return code: 0 (ok)
^C
and even nmap: nmap --script ssl-enum-ciphers -p 636 localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-09 18:08 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.000026s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
The setting did worked in 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64 (centos 6.6).
Could you please run this search and attach the search result? $ ldapsearch -x -D 'cn=directory manager' -W -b "cn=encryption,cn=config"
ldapsearch -x -D 'cn=directory manager' -W -b 'cn=encryption,cn=config' -Z Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=encryption,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # encryption, config dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed sslVersionMin: TLS1.0 nsSSL3: off nsSSL3Ciphers: +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_ 128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_25 6_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_CBC_ SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+T LS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_ WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_C BC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_NULL_MD5,-TLS_RSA_WITH_ RC4_128_MD5 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD: :128 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::1 28 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::1 28 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1:: 128 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1:: 128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1:: 256 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1:: 256 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nsSSLSupportedCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 nsSSLSupportedCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 nsSSLSupportedCiphers: TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128 nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128 nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64 nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64 nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64 nsSSLSupportedCiphers: TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64 nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128 nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64 nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128 nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128 nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0 nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0 nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0 nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0 nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0 nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0 nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_MD5::NULL::MD5::0 nsSSLSupportedCiphers: SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128 nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128 nsSSLSupportedCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192 nsSSLSupportedCiphers: SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64 nsSSLSupportedCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128 nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128 nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 nssslenabledciphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 nsSSL2: off nsTLS1: on sslVersionMax: TLS1.2 # RSA, encryption, config dn: cn=RSA,cn=encryption,cn=config objectClass: top objectClass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: SERVERNAME nsSSLToken: internal (software) nsSSLActivation: on # search result search: 3 result: 0 Success # numResponses: 3 # numEntries: 2
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1230996
git patch file (master) 0001-Ticket-48194-nsSSL3Ciphers-preference-not-enforced-s.patch
Thank you for reviewing the patch, Rich!
Pushed to master: 70fa356..53c9c4e master -> master commit 53c9c4e
Pushed to 389-ds-base-1.3.3: 18f3e3a..99109e3 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 99109e3
git patch file (master) -- CI test 0001-Ticket-48194-CI-test-added-test-cases-for-ticket-481.patch
Ticket #48194 - CI test: fixing test cases for ticket 48194
Description: nsSSL3Ciphers preference not enforced server side . Test Case 6 - wrong expectation for RC4-SHA . Test Case 7 - removing a extra space in nsSSL3Ciphers
Pushed to master: d1b0acd..f69ce33 master -> master commit f69ce33
Pushed to 389-ds-base-1.3.4: 4f3b802..ca9e6f9 389-ds-base-1.3.4 -> 389-ds-base-1.3.4 commit ca9e6f9
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.3.3.12
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1525
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.