#49145 [RFE] cipher keywords should be more consistent
Closed: wontfix 2 years ago Opened 3 years ago by firstyear.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1424047

Description of problem:
There is mismatch in the cipher keywords returned from an ldapsearch and the
ones we can actually use for the nsSSLEnabledCiphers attribute.

Here is an example (with some random cipher):

$ ldapsearch -x -D 'cn=directory manager' -W -b "cn=encryption,cn=config"
nsSSLEnabledCiphers
[...]
nsSSLEnabledCiphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256

If people want to exclude this cipher, they need to lookup [1] to see
what they have to enter into the nsSSLEnabledCiphers attribute and then
hopefully find the right 389-ds-base keyword for the cipher they want to
remove:

nsSSL3Ciphers: default,-tls_rsa_aes_256_sha,-rsa_aes_256_sha

It would be great if the cipher keywords returned from the ldapsearch
and the ones we can actually add to the nsSSLEnabledCiphers attribute
are the same.

[1] http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html
#available-by-setting-all----nss-3162-1


Version-Release number of selected component (if applicable):
389-ds-base-1.3.5.10-15.el7_3.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Metadata Update from @firstyear:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1424047

3 years ago

Metadata Update from @firstyear:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1424047

3 years ago

Metadata Update from @mreynolds:
- Issue tagged with: RFE

3 years ago

Metadata Update from @mreynolds:
- Custom field type adjusted to defect
- Issue set to the milestone: 1.3.7 backlog (was: 0.0 NEEDS_TRIAGE)

3 years ago

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4 backlog (was: 1.3.7 backlog)

3 years ago

@mhonek Since you love TLS, maybe something you could look at here too? Would relate closely to the work with system ciphers too I think.

Metadata Update from @firstyear:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field version adjusted to None

2 years ago

Our cipher list in ssl.c is also outdated. Changing milestone as the new UI should have the latest ciphers available for TLS configuration.

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4.0 (was: 1.4 backlog)
- Issue tagged with: Cockpit

2 years ago

Metadata Update from @mhonek:
- Issue assigned to mhonek

2 years ago

This feature was implemented by Noriko in ticket #47838, particularly commit 13c0d2f. All the available ciphers are retrieved from NSS dynamically so there are no definitions to maintain manually any more, fortunately. Closing this issue.

Metadata Update from @mhonek:
- Issue status updated to: Closed (was: Open)

2 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2204

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix

15 days ago

Login to comment on this ticket.

Metadata