#49145 [RFE] cipher keywords should be more consistent
Closed 2 years ago Opened 2 years ago by firstyear.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1424047

Description of problem:
There is mismatch in the cipher keywords returned from an ldapsearch and the
ones we can actually use for the nsSSLEnabledCiphers attribute.

Here is an example (with some random cipher):

$ ldapsearch -x -D 'cn=directory manager' -W -b "cn=encryption,cn=config"
nsSSLEnabledCiphers
[...]
nsSSLEnabledCiphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256

If people want to exclude this cipher, they need to lookup [1] to see
what they have to enter into the nsSSLEnabledCiphers attribute and then
hopefully find the right 389-ds-base keyword for the cipher they want to
remove:

nsSSL3Ciphers: default,-tls_rsa_aes_256_sha,-rsa_aes_256_sha

It would be great if the cipher keywords returned from the ldapsearch
and the ones we can actually add to the nsSSLEnabledCiphers attribute
are the same.

[1] http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html
#available-by-setting-all----nss-3162-1


Version-Release number of selected component (if applicable):
389-ds-base-1.3.5.10-15.el7_3.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Metadata Update from @firstyear:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1424047

2 years ago

Metadata Update from @firstyear:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1424047

2 years ago

Metadata Update from @mreynolds:
- Issue tagged with: RFE

2 years ago

Metadata Update from @mreynolds:
- Custom field type adjusted to defect
- Issue set to the milestone: 1.3.7 backlog (was: 0.0 NEEDS_TRIAGE)

2 years ago

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4 backlog (was: 1.3.7 backlog)

2 years ago

@mhonek Since you love TLS, maybe something you could look at here too? Would relate closely to the work with system ciphers too I think.

Metadata Update from @firstyear:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field version adjusted to None

2 years ago

Our cipher list in ssl.c is also outdated. Changing milestone as the new UI should have the latest ciphers available for TLS configuration.

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4.0 (was: 1.4 backlog)
- Issue tagged with: Cockpit

2 years ago

Metadata Update from @mhonek:
- Issue assigned to mhonek

2 years ago

This feature was implemented by Noriko in ticket #47838, particularly commit 13c0d2f. All the available ciphers are retrieved from NSS dynamically so there are no definitions to maintain manually any more, fortunately. Closing this issue.

Metadata Update from @mhonek:
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata