#48743 RHDS Admin Console enables unsupported Ciphers by default
Closed: wontfix None Opened 5 years ago by nhosoi.

Description of problem:
Setting up SSL/TLS enables ciphers that are unsupported by the
underlying NSS libs. Also, disabling them in the console still results in a
warning them being unsupported.


Version-Release number of selected component (if applicable):
389-ds-console-1.2.12-1.el7dsrv.noarch

How reproducible:
Always.


Steps to Reproduce:
1. Setup RHDS
2. Enable SSL/TLS as per the Admin Guide sec. 7.4 using the Admin Console
3. Use the default ciphers as part of the SSL/TLS enablement

Actual results:
From /var/log/dirsrv/slapd-ID/errors:
SSL alert: Cipher suite fortezza_null is not available in NSS 3.19.  Ignoring
fortezza_null
SSL alert: Cipher suite fortezza is not available in NSS 3.19.  Ignoring
fortezza
SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.19.
Ignoring fortezza_rc4_128_sha

Even after manually turning them of in the Admin Console, it configures:
nsSSL3Ciphers: ...,-fortezza_null, -fortezza, -fortezza_rc4_128_sha,...

resulting in the same errors.

Expected results:
The Admin Console not to configure (either enable or disable) unsupported
ciphers.

To ssh://git.fedorahosted.org/git/389/ds.git
622d6a6..6b61e05 master -> master
commit 6b61e05
Author: Mark Reynolds mreynolds@redhat.com
Date: Thu Jul 7 14:53:48 2016 -0400

To ssh://git.fedorahosted.org/git/idm-console-framework.git
0296644..97cc684 master -> master
commit 97cc6843765a1860eb55d92cc767a9fb26972535

Hi Mark,

Could you check you error log? If you don't see these, you have my ack. :)
Actual results:
{{{
From /var/log/dirsrv/slapd-ID/errors:
SSL alert: Cipher suite fortezza_null is not available in NSS 3.##. Ignoring fortezza_null
SSL alert: Cipher suite fortezza is not available in NSS 3.##. Ignoring fortezza
SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.##. Ignoring fortezza_rc4_128_sha
}}}
Thanks!

Replying to [comment:9 nhosoi]:

Hi Mark,

Could you check you error log? If you don't see these, you have my ack. :)
Actual results:
{{{
From /var/log/dirsrv/slapd-ID/errors:
SSL alert: Cipher suite fortezza_null is not available in NSS 3.##. Ignoring fortezza_null
SSL alert: Cipher suite fortezza is not available in NSS 3.##. Ignoring fortezza
SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.##. Ignoring fortezza_rc4_128_sha
}}}
Thanks!

Already did :-) If they are turned off in the console, they don't report any errors when the server is restarted. I turned them on, saw the errors, turned them off, no errors.

603800c..e86e7b6 master -> master
commit e86e7b606a1ceb1bee18df728699111b26193148
Author: Mark Reynolds mreynolds@redhat.com
Date: Tue Oct 18 13:46:33 2016 -0400

Metadata Update from @nhosoi:
- Issue assigned to mreynolds
- Issue set to the milestone: 389-admin,console 1.1.44

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1803

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

8 months ago

Login to comment on this ticket.

Metadata