Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHDS Admin Console enables unsupported Ciphers by default #1803

Closed
389-ds-bot opened this issue Sep 13, 2020 · 9 comments
Closed

RHDS Admin Console enables unsupported Ciphers by default #1803

389-ds-bot opened this issue Sep 13, 2020 · 9 comments
Labels
closed: fixed Migration flag - Issue
Milestone
389-admin,console...

Comments

@389-ds-bot
Copy link

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/48743

Description of problem:
Setting up SSL/TLS enables ciphers that are unsupported by the
underlying NSS libs. Also, disabling them in the console still results in a
warning them being unsupported.

Version-Release number of selected component (if applicable):
389-ds-console-1.2.12-1.el7dsrv.noarch

How reproducible:
Always.


Steps to Reproduce:
1. Setup RHDS
2. Enable SSL/TLS as per the Admin Guide sec. 7.4 using the Admin Console
3. Use the default ciphers as part of the SSL/TLS enablement

Actual results:
From /var/log/dirsrv/slapd-ID/errors:
SSL alert: Cipher suite fortezza_null is not available in NSS 3.19.  Ignoring
fortezza_null
SSL alert: Cipher suite fortezza is not available in NSS 3.19.  Ignoring
fortezza
SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.19.
Ignoring fortezza_rc4_128_sha

Even after manually turning them of in the Admin Console, it configures:
nsSSL3Ciphers: ...,-fortezza_null, -fortezza, -fortezza_rc4_128_sha,...

resulting in the same errors.

Expected results:
The Admin Console not to configure (either enable or disable) unsupported
ciphers.
@389-ds-bot 389-ds-bot added the closed: fixed Migration flag - Issue label Sep 13, 2020
@389-ds-bot 389-ds-bot added this to the 389-admin,console 1.1.44 milestone Sep 13, 2020
@389-ds-bot
Copy link
Author

Comment from mreynolds (@mreynolds389) at 2016-07-08 00:52:51

attachment
0001-Ticket-48743-idm-console-framework-disable-fortezza-.patch

@389-ds-bot
Copy link
Author

Comment from mreynolds (@mreynolds389) at 2016-07-08 01:00:08

DS fix to not check if disabled ciphers are known
0001-Ticket-48743-If-a-cipher-is-disabled-do-not-attempt-.patch

@389-ds-bot
Copy link
Author

Comment from mreynolds (@mreynolds389) at 2016-07-08 01:54:25

To ssh://git.fedorahosted.org/git/389/ds.git
622d6a6..6b61e05 master -> master
commit 6b61e05
Author: Mark Reynolds mreynolds389@redhat.com
Date: Thu Jul 7 14:53:48 2016 -0400

To ssh://git.fedorahosted.org/git/idm-console-framework.git
0296644..97cc684 master -> master
commit 97cc6843765a1860eb55d92cc767a9fb26972535

@389-ds-bot
Copy link
Author

Comment from mreynolds (@mreynolds389) at 2016-10-19 01:46:23

Disable fortezza by default
0001-Ticket-48743-ds-console-enables-obsolete-SSL-ciphers.patch

@389-ds-bot
Copy link
Author

Comment from nhosoi (@nhosoi) at 2016-10-19 01:53:14

Hi Mark,

Could you check you error log? If you don't see these, you have my ack. :)
Actual results:

From /var/log/dirsrv/slapd-ID/errors:
SSL alert: Cipher suite fortezza_null is not available in NSS 3.##.  Ignoring fortezza_null
SSL alert: Cipher suite fortezza is not available in NSS 3.##.  Ignoring fortezza
SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.##.  Ignoring fortezza_rc4_128_sha

Thanks!

@389-ds-bot
Copy link
Author

Comment from mreynolds (@mreynolds389) at 2016-10-19 02:00:26

Replying to [comment:9 nhosoi]:

Hi Mark,

Could you check you error log? If you don't see these, you have my ack. :)
Actual results:

From /var/log/dirsrv/slapd-ID/errors:
SSL alert: Cipher suite fortezza_null is not available in NSS 3.##.  Ignoring fortezza_null
SSL alert: Cipher suite fortezza is not available in NSS 3.##.  Ignoring fortezza
SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.##.  Ignoring fortezza_rc4_128_sha

Thanks!

Already did :-) If they are turned off in the console, they don't report any errors when the server is restarted. I turned them on, saw the errors, turned them off, no errors.

@389-ds-bot
Copy link
Author

Comment from nhosoi (@nhosoi) at 2016-10-19 02:02:12

Thank you!!!!!!

@389-ds-bot
Copy link
Author

Comment from mreynolds (@mreynolds389) at 2016-10-19 02:10:13

603800c..e86e7b6 master -> master
commit e86e7b606a1ceb1bee18df728699111b26193148
Author: Mark Reynolds mreynolds389@redhat.com
Date: Tue Oct 18 13:46:33 2016 -0400

@389-ds-bot
Copy link
Author

Comment from nhosoi (@nhosoi) at 2017-02-11 22:56:42

Metadata Update from @nhosoi:

  • Issue assigned to mreynolds389
  • Issue set to the milestone: 389-admin,console 1.1.44

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed: fixed Migration flag - Issue
Projects
None yet
Milestone
389-admin,console 1.1.44
Development

No branches or pull requests
1 participant
@389-ds-bot