Re: [389-users] Fwd: Some cipher suites not working

Fri, 19 Jul 2013 10:23:25 -0700 

On 07/19/2013 10:43 AM, Darcy Hodgson wrote:



On Fri, Jul 19, 2013 at 11:37 AM, Rich Megginson <rmegg...@redhat.com 
<mailto:rmegg...@redhat.com>> wrote:


    On 07/19/2013 08:38 AM, Darcy Hodgson wrote:




    On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson
    <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

        On 07/19/2013 06:43 AM, Darcy Hodgson wrote:

        Hello,

        I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I
        have been able to get it working and can connect with LDAPS.
        However when I started to disabled some of the ciphers I
        noticed that my server wasn't accepting any of the DHE
        ciphers. I enabled all the ciphers with +all and used sslmap
        to confirm that the server was only choosing RSA.

        I checked the logs and the only thing they say is "Cannot
        communicate securely with peer: no common encryption
        algorithm(s)."

        Any help getting the DHE ciphers to work or pointing me to
        some documentation would be appreciated.


        Can you please provide the exact steps to reproduce the
        issue?  Please include the versions of the nspr, nss,
        openldap, and 389-ds-base packages.
        Have you tried openssl s_client?




        Thanks,

        Darcy



     Here is the requested software installed.

    openssh-5.3p1-84.1.el6.x86_64
    389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
    openssh-clients-5.3p1-84.1.el6.x86_64
    nspr-4.9.2-1.el6.x86_64
    nss-sysinit-3.14.0.0-12.el6.x86_64
    openldap-2.4.23-32.el6_4.1.x86_64
    nss-softokn-freebl-3.12.9-11.el6.x86_64
    openssh-server-5.3p1-84.1.el6.x86_64
    nss-softokn-3.12.9-11.el6.x86_64
    openldap-clients-2.4.23-32.el6_4.1.x86_64
    389-ds-base-1.2.11.15-14.el6_4.x86_64
    nss-util-3.14.0.0-2.el6.x86_64
    nss-3.14.0.0-12.el6.x86_64
    openssl-1.0.0-27.el6_4.2.x86_64
    nss-tools-3.14.0.0-12.el6.x86_64

    Here is my encryption settings.

    dn: cn=encryption,cn=config
    objectClass: top
    objectClass: nsEncryptionConfig
    cn: encryption
    nsSSLSessionTimeout: 0
    nsSSLClientAuth: allowed
    nsSSL2: off
    nsSSL3: off
    nsSSL3Ciphers: +all
    creatorsName: cn=server,cn=plugins,cn=config
    modifiersName: cn=server,cn=plugins,cn=config
    createTimestamp: 20130702171319Z
    modifyTimestamp: 20130702171319Z
    numSubordinates: 1

    dn: cn=RSA,cn=encryption,cn=config
    changetype: add
    objectclass: top
    objectclass: nsEncryptionModule
    cn: RSA
    nsSSLPersonalitySSL: test-cert
    nsSSLToken: internal (software)
    nsSSLActivation: on


    I installed everything via Yum and only added the encryption
    settings and "nsslapd-security: on" after going through the
    setup-ds script.

    When I run openssl s_client -connect localhost:636 it connects
    fine with AES256-SHA


    When I specify a cipher it fails the handshake.

    root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher
    DHE-DSS-AES128-SHA


    try adding -debug - let's see if s_client will tell us the list of
    ciphers the server says are available


    CONNECTED(00000003)
    139667370157896:error:14077410:SSL
    routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
    failure:s23_clnt.c:674:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 58 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---
    [root@ldap01 ~]#

    I checked on the redhat site and DHE-DSS-AES128-SHA should be
    included (tls_dhe_dss_aes_128_sha).


    -Darcy





I can see the 29 ciphers (didn't want to translete them all) that 
openssl is sending within the client hello message.


...
0080  cf 00 00 3a 00 39 00 38  00 88 00 87 00 35 00 84   ...:.9.8 .....5..
0090  00 16 00 13 00 0a 00 33  00 32 00 9a 00 99 00 45   .......3 .2.....E
00a0  00 44 00 2f 00 96 00 41  00 05 00 04 00 15 00 12   .D./...A ........
00b0  00 09 00 14 00 11 00 08  00 06 00 03 00 ff
...


But the server only sends back the one it has selected in the server 
hello message


Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)


When I use the debug and force the cipher I get the following:


[root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher 
DHE-DSS-AES128-SHA -debug

CONNECTED(00000003)
write to 0x2023a30 [0x20c3990] (58 bytes => 58 (0x3A))
0000 - 16 03 01 00 35 01 00 00-31 03 01 51 e9 69 34 22   ....5...1..Q.i4"
0010 - 3d f2 28 38 66 ea 10 81-9f 3e e9 3a 43 39 b1 d8   =.(8f....>.:C9..
0020 - 27 7f af 5b 6e 6d ff b1-db 20 ae 00 00 04 00 32   '..[nm... .....2
0030 - 00 ff 01 00 00 04 00 23-  .......#
003a - <SPACES/NULS>
read from 0x2023a30 [0x20c8ef0] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28  ......(

139928132474696:error:14077410:SSL 
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:s23_clnt.c:674:

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 58 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root@ldap01 ~]#


Ok.  Please file a ticket at https://fedorahosted.org/389/newticket




--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





















					Reply via email to