Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1424047
Description of problem: There is mismatch in the cipher keywords returned from an ldapsearch and the ones we can actually use for the nsSSLEnabledCiphers attribute. Here is an example (with some random cipher): $ ldapsearch -x -D 'cn=directory manager' -W -b "cn=encryption,cn=config" nsSSLEnabledCiphers [...] nsSSLEnabledCiphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 If people want to exclude this cipher, they need to lookup [1] to see what they have to enter into the nsSSLEnabledCiphers attribute and then hopefully find the right 389-ds-base keyword for the cipher they want to remove: nsSSL3Ciphers: default,-tls_rsa_aes_256_sha,-rsa_aes_256_sha It would be great if the cipher keywords returned from the ldapsearch and the ones we can actually add to the nsSSLEnabledCiphers attribute are the same. [1] http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html #available-by-setting-all----nss-3162-1 Version-Release number of selected component (if applicable): 389-ds-base-1.3.5.10-15.el7_3.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Metadata Update from @firstyear: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1424047
Metadata Update from @mreynolds: - Issue tagged with: RFE
Metadata Update from @mreynolds: - Custom field type adjusted to defect - Issue set to the milestone: 1.3.7 backlog (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @mreynolds: - Issue set to the milestone: 1.4 backlog (was: 1.3.7 backlog)
@mhonek Since you love TLS, maybe something you could look at here too? Would relate closely to the work with system ciphers too I think.
Metadata Update from @firstyear: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field version adjusted to None
Our cipher list in ssl.c is also outdated. Changing milestone as the new UI should have the latest ciphers available for TLS configuration.
Metadata Update from @mreynolds: - Issue set to the milestone: 1.4.0 (was: 1.4 backlog) - Issue tagged with: Cockpit
Metadata Update from @mhonek: - Issue assigned to mhonek
This feature was implemented by Noriko in ticket #47838, particularly commit 13c0d2f. All the available ciphers are retrieved from NSS dynamically so there are no definitions to maintain manually any more, fortunately. Closing this issue.
Metadata Update from @mhonek: - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.