Description of problem: Setting up SSL/TLS enables ciphers that are unsupported by the underlying NSS libs. Also, disabling them in the console still results in a warning them being unsupported. Version-Release number of selected component (if applicable): 389-ds-console-1.2.12-1.el7dsrv.noarch How reproducible: Always. Steps to Reproduce: 1. Setup RHDS 2. Enable SSL/TLS as per the Admin Guide sec. 7.4 using the Admin Console 3. Use the default ciphers as part of the SSL/TLS enablement Actual results: From /var/log/dirsrv/slapd-ID/errors: SSL alert: Cipher suite fortezza_null is not available in NSS 3.19. Ignoring fortezza_null SSL alert: Cipher suite fortezza is not available in NSS 3.19. Ignoring fortezza SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.19. Ignoring fortezza_rc4_128_sha Even after manually turning them of in the Admin Console, it configures: nsSSL3Ciphers: ...,-fortezza_null, -fortezza, -fortezza_rc4_128_sha,... resulting in the same errors. Expected results: The Admin Console not to configure (either enable or disable) unsupported ciphers.
attachment 0001-Ticket-48743-idm-console-framework-disable-fortezza-.patch
DS fix to not check if disabled ciphers are known 0001-Ticket-48743-If-a-cipher-is-disabled-do-not-attempt-.patch
To ssh://git.fedorahosted.org/git/389/ds.git 622d6a6..6b61e05 master -> master commit 6b61e05 Author: Mark Reynolds mreynolds@redhat.com Date: Thu Jul 7 14:53:48 2016 -0400
To ssh://git.fedorahosted.org/git/idm-console-framework.git 0296644..97cc684 master -> master commit 97cc6843765a1860eb55d92cc767a9fb26972535
Disable fortezza by default 0001-Ticket-48743-ds-console-enables-obsolete-SSL-ciphers.patch
Hi Mark,
Could you check you error log? If you don't see these, you have my ack. :) Actual results: {{{ From /var/log/dirsrv/slapd-ID/errors: SSL alert: Cipher suite fortezza_null is not available in NSS 3.##. Ignoring fortezza_null SSL alert: Cipher suite fortezza is not available in NSS 3.##. Ignoring fortezza SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.##. Ignoring fortezza_rc4_128_sha }}} Thanks!
Replying to [comment:9 nhosoi]:
Hi Mark, Could you check you error log? If you don't see these, you have my ack. :) Actual results: {{{ From /var/log/dirsrv/slapd-ID/errors: SSL alert: Cipher suite fortezza_null is not available in NSS 3.##. Ignoring fortezza_null SSL alert: Cipher suite fortezza is not available in NSS 3.##. Ignoring fortezza SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.##. Ignoring fortezza_rc4_128_sha }}} Thanks!
Already did :-) If they are turned off in the console, they don't report any errors when the server is restarted. I turned them on, saw the errors, turned them off, no errors.
Thank you!!!!!!
603800c..e86e7b6 master -> master commit e86e7b606a1ceb1bee18df728699111b26193148 Author: Mark Reynolds mreynolds@redhat.com Date: Tue Oct 18 13:46:33 2016 -0400
Metadata Update from @nhosoi: - Issue assigned to mreynolds - Issue set to the milestone: 389-admin,console 1.1.44
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1803
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.