On 07/19/2013 08:38 AM, Darcy Hodgson wrote:
On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson <rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> wrote:
On 07/19/2013 06:43 AM, Darcy Hodgson wrote:
Hello,
I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have
been able to get it working and can connect with LDAPS. However
when I started to disabled some of the ciphers I noticed that my
server wasn't accepting any of the DHE ciphers. I enabled all the
ciphers with +all and used sslmap to confirm that the server was
only choosing RSA.
I checked the logs and the only thing they say is "Cannot
communicate securely with peer: no common encryption algorithm(s)."
Any help getting the DHE ciphers to work or pointing me to some
documentation would be appreciated.
Can you please provide the exact steps to reproduce the issue?
Please include the versions of the nspr, nss, openldap, and
389-ds-base packages.
Have you tried openssl s_client?
Thanks,
Darcy
Here is the requested software installed.
openssh-5.3p1-84.1.el6.x86_64
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
nspr-4.9.2-1.el6.x86_64
nss-sysinit-3.14.0.0-12.el6.x86_64
openldap-2.4.23-32.el6_4.1.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
openssh-server-5.3p1-84.1.el6.x86_64
nss-softokn-3.12.9-11.el6.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
389-ds-base-1.2.11.15-14.el6_4.x86_64
nss-util-3.14.0.0-2.el6.x86_64
nss-3.14.0.0-12.el6.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
nss-tools-3.14.0.0-12.el6.x86_64
Here is my encryption settings.
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
nsSSL3Ciphers: +all
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20130702171319Z
modifyTimestamp: 20130702171319Z
numSubordinates: 1
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: test-cert
nsSSLToken: internal (software)
nsSSLActivation: on
I installed everything via Yum and only added the encryption settings
and "nsslapd-security: on" after going through the setup-ds script.
When I run openssl s_client -connect localhost:636 it connects fine
with AES256-SHA
When I specify a cipher it fails the handshake.
root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher
DHE-DSS-AES128-SHA
try adding -debug - let's see if s_client will tell us the list of
ciphers the server says are available
CONNECTED(00000003)
139667370157896:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:674:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 58 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root@ldap01 ~]#
I checked on the redhat site and DHE-DSS-AES128-SHA should be included
(tls_dhe_dss_aes_128_sha).
-Darcy
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
