Bug 1150368
| Summary: | Unable to disable Null Ciphers on 389-Directory-Server using nsSSL3Ciphers in Ldif | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | amd <amurty> |
| Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.5 | CC: | amurty, jgalipea, nkinder, rmeggins, sramling |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.2.11.15-51.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: |
1. CentOS release 6.5 (Final).
2. Linux 2.6.32-431.29.2.el6.i686 #1 SMP Tue Sep 9 20:14:52 UTC 2014 i686 i686 i386 GNU/Linux.
3. ipa-server-3.0.0-37.el6.i686
|
|
| Last Closed: | 2015-07-22 06:35:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
amd
2014-10-08 05:05:43 UTC
Environment - 1. CentOS release 6.5 (Final). 2. Linux 2.6.32-431.29.2.el6.i686 #1 SMP Tue Sep 9 20:14:52 3. UTC 2014 i686 i686 i386 GNU/Linux. ipa-server-3.0.0-37.el6.i686 Dependencies - [root]# yum deplist ipa-server Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: mirror.ash.fastserv.com * epel: mirror.symnds.com * extras: ftp.linux.ncsu.edu * updates: centos.aol.com Finding dependencies: package: ipa-server.i686 3.0.0-37.el6 dependency: python(abi) = 2.6 provider: python.i686 2.6.6-51.el6 provider: python.i686 2.6.6-52.el6 dependency: acl provider: acl.i686 2.2.49-6.el6 dependency: krb5-server < 1.11 provider: krb5-server.i686 1.10.3-10.el6_4.6 provider: krb5-server.i686 1.10.3-15.el6_5.1 dependency: zip provider: zip.i686 3.0-1.el6 dependency: ipa-server-selinux = 3.0.0-37.el6 provider: ipa-server-selinux.i686 3.0.0-37.el6 dependency: nss-tools provider: nss-tools.i686 3.15.1-15.el6 provider: nss-tools.i686 3.15.3-2.el6_5 provider: nss-tools.i686 3.15.3-3.el6_5 provider: nss-tools.i686 3.15.3-6.el6_5 provider: nss-tools.i686 3.16.1-4.el6_5 provider: nss-tools.i686 3.16.1-7.el6_5 dependency: libcrypto.so.10(libcrypto.so.10) provider: openssl.i686 1.0.1e-15.el6 provider: openssl.i686 1.0.1e-16.el6_5.1 provider: openssl.i686 1.0.1e-16.el6_5.14 provider: openssl.i686 1.0.1e-16.el6_5.15 provider: openssl.i686 1.0.1e-16.el6_5.4.0.1.centos provider: openssl.i686 1.0.1e-16.el6_5.4 provider: openssl.i686 1.0.1e-16.el6_5.7 provider: openssl.i686 1.0.1e-16.el6_5 dependency: mod_nss >= 1.0.8-18 provider: mod_nss.i686 1.0.8-18.el6 provider: mod_nss.i686 1.0.8-19.el6_5 dependency: libndr-nbt.so.0(NDR_NBT_0.0.1) provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: /usr/bin/python provider: python.i686 2.6.6-51.el6 provider: python.i686 2.6.6-52.el6 dependency: ipa-python = 3.0.0-37.el6 provider: ipa-python.i686 3.0.0-37.el6 dependency: libndr.so.0(NDR_0.0.1) provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: libkrb5.so.3(krb5_3_MIT) provider: krb5-libs.i686 1.10.3-10.el6_4.6 provider: krb5-libs.i686 1.10.3-15.el6_5.1 dependency: libcom_err.so.2 provider: libcom_err.i686 1.41.12-18.el6 provider: libcom_err.i686 1.41.12-18.el6_5.1 dependency: cyrus-sasl-gssapi(x86-32) provider: cyrus-sasl-gssapi.i686 2.1.23-13.el6_3.1 dependency: /bin/sh provider: bash.i686 4.1.2-15.el6_4 provider: bash.i686 4.1.2-15.el6_5.2 provider: bash.i686 4.1.2-15.el6_5.1 dependency: policycoreutils >= 2.0.83-19.24 provider: policycoreutils.i686 2.0.83-19.39.el6 dependency: libtalloc.so.2 provider: libtalloc.i686 2.0.7-2.el6 dependency: libcrypto.so.10 provider: openssl.i686 1.0.1e-15.el6 provider: openssl.i686 1.0.1e-16.el6_5.1 provider: openssl.i686 1.0.1e-16.el6_5.14 provider: openssl.i686 1.0.1e-16.el6_5.15 provider: openssl.i686 1.0.1e-16.el6_5.4.0.1.centos provider: openssl.i686 1.0.1e-16.el6_5.4 provider: openssl.i686 1.0.1e-16.el6_5.7 provider: openssl.i686 1.0.1e-16.el6_5 dependency: libuuid.so.1(UUID_1.0) provider: libuuid.i686 2.17.2-12.14.el6 provider: libuuid.i686 2.17.2-12.14.el6_5 dependency: libkrb5.so.3 provider: krb5-libs.i686 1.10.3-10.el6_4.6 provider: krb5-libs.i686 1.10.3-15.el6_5.1 dependency: initscripts provider: initscripts.i686 9.03.40-2.el6.centos provider: initscripts.i686 9.03.40-2.el6.centos.1 provider: initscripts.i686 9.03.40-2.el6.centos.2 provider: initscripts.i686 9.03.40-2.el6.centos.3 provider: initscripts.i686 9.03.40-2.el6.centos.4 dependency: libk5crypto.so.3(k5crypto_3_MIT) provider: krb5-libs.i686 1.10.3-10.el6_4.6 provider: krb5-libs.i686 1.10.3-15.el6_5.1 dependency: libndr-nbt.so.0 provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: ipa-admintools = 3.0.0-37.el6 provider: ipa-admintools.i686 3.0.0-37.el6 dependency: slapi-nis >= 0.40 provider: slapi-nis.i686 0.40-4.el6 dependency: 389-ds-base >= 1.2.11.15-14 provider: 389-ds-base.i686 1.2.11.15-29.el6 provider: 389-ds-base.i686 1.2.11.15-30.el6_5 provider: 389-ds-base.i686 1.2.11.15-31.el6_5 provider: 389-ds-base.i686 1.2.11.15-32.el6_5 provider: 389-ds-base.i686 1.2.11.15-33.el6_5 provider: 389-ds-base.i686 1.2.11.15-34.el6_5 dependency: keyutils provider: keyutils.i686 1.4-4.el6 dependency: python-krbV provider: python-krbV.i686 1.0.90-1.el6 provider: python-krbV.i686 1.0.90-3.el6 dependency: python-ldap provider: python-ldap.i686 2.3.10-1.el6 dependency: openssh-clients provider: openssh-clients.i686 5.3p1-94.el6 dependency: selinux-policy-base provider: selinux-policy-minimum.noarch 3.7.19-231.el6 provider: selinux-policy-mls.noarch 3.7.19-231.el6 provider: selinux-policy-targeted.noarch 3.7.19-231.el6 provider: selinux-policy-minimum.noarch 3.7.19-231.el6_5.1 provider: selinux-policy-minimum.noarch 3.7.19-231.el6_5.3 provider: selinux-policy-mls.noarch 3.7.19-231.el6_5.1 provider: selinux-policy-mls.noarch 3.7.19-231.el6_5.3 provider: selinux-policy-targeted.noarch 3.7.19-231.el6_5.1 provider: selinux-policy-targeted.noarch 3.7.19-231.el6_5.3 dependency: libndr-krb5pac.so.0 provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: pki-ca >= 9.0.3-30 provider: pki-ca.noarch 9.0.3-32.el6 dependency: nss provider: nss.i686 3.15.1-15.el6 provider: nss.i686 3.15.3-2.el6_5 provider: nss.i686 3.15.3-3.el6_5 provider: nss.i686 3.15.3-6.el6_5 provider: nss.i686 3.16.1-4.el6_5 provider: nss.i686 3.16.1-7.el6_5 dependency: chkconfig provider: chkconfig.i686 1.3.49.3-2.el6_4.1 dependency: krb5-server >= 1.10 provider: krb5-server.i686 1.10.3-10.el6_4.6 provider: krb5-server.i686 1.10.3-15.el6_5.1 dependency: libc.so.6(GLIBC_2.8) provider: glibc.i686 2.12-1.132.el6 provider: glibc.i686 2.12-1.132.el6_5.1 provider: glibc.i686 2.12-1.132.el6_5.2 provider: glibc.i686 2.12-1.132.el6_5.3 provider: glibc.i686 2.12-1.132.el6_5.4 dependency: libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1) provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: selinux-policy >= 3.7.19-193 provider: selinux-policy.noarch 3.7.19-231.el6 provider: selinux-policy.noarch 3.7.19-231.el6_5.1 provider: selinux-policy.noarch 3.7.19-231.el6_5.3 dependency: rtld(GNU_HASH) provider: glibc.i686 2.12-1.132.el6 provider: glibc.i686 2.12-1.132.el6_5.1 provider: glibc.i686 2.12-1.132.el6_5.2 provider: glibc.i686 2.12-1.132.el6_5.3 provider: glibc.i686 2.12-1.132.el6_5.4 dependency: liblber-2.4.so.2 provider: openldap.i686 2.4.23-32.el6_4.1 provider: openldap.i686 2.4.23-34.el6_5.1 dependency: ipa-client = 3.0.0-37.el6 provider: ipa-client.i686 3.0.0-37.el6 dependency: ipa-pki-common-theme provider: ipa-pki-common-theme.noarch 9.0.3-7.el6 dependency: pki-setup >= 9.0.3-30 provider: pki-setup.noarch 9.0.3-32.el6 dependency: ipa-pki-ca-theme provider: ipa-pki-ca-theme.noarch 9.0.3-7.el6 dependency: libsamba-util.so.0 provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: python-memcached >= 1.43-6 provider: python-memcached.noarch 1.43-6.el6 dependency: openldap-clients provider: openldap-clients.i686 2.4.23-32.el6_4.1 provider: openldap-clients.i686 2.4.23-34.el6_5.1 dependency: libndr.so.0 provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: libtalloc.so.2(TALLOC_2.0.2) provider: libtalloc.i686 2.0.7-2.el6 dependency: python provider: python.i686 2.6.6-51.el6 provider: python.i686 2.6.6-52.el6 dependency: ntp provider: ntp.i686 4.2.6p5-1.el6.centos dependency: memcached provider: memcached.i686 1.4.4-3.el6 dependency: mod_auth_kerb >= 5.4-8 provider: mod_auth_kerb.i686 5.4-10.el6 dependency: mod_wsgi provider: mod_wsgi.i686 3.2-3.el6 provider: mod_wsgi.i686 3.2-6.el6_5 dependency: pki-silent >= 9.0.3-30 provider: pki-silent.noarch 9.0.3-32.el6 dependency: httpd >= httpd-2.2.15-24 provider: httpd.i686 2.2.15-29.el6.centos provider: httpd.i686 2.2.15-30.el6.centos provider: httpd.i686 2.2.15-31.el6.centos dependency: libtevent.so.0 provider: libtevent.i686 0.9.18-3.el6 dependency: libuuid.so.1 provider: libuuid.i686 2.17.2-12.14.el6 provider: libuuid.i686 2.17.2-12.14.el6_5 dependency: libsamba-util.so.0(SAMBA_UTIL_0.0.1) provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: libldap_r-2.4.so.2 provider: openldap.i686 2.4.23-32.el6_4.1 provider: openldap.i686 2.4.23-34.el6_5.1 dependency: python-pyasn1 >= 0.0.9a provider: python-pyasn1.noarch 0.0.12a-1.el6 dependency: libk5crypto.so.3 provider: krb5-libs.i686 1.10.3-10.el6_4.6 provider: krb5-libs.i686 1.10.3-15.el6_5.1 dependency: certmonger >= 0.61-3 provider: certmonger.i686 0.61-3.el6 [root]# With the fixes for DS 47928 DS 47945 DS 47880, configured the server as follows: dn: cn=encryption,cn=config nsSSL3: off nsTLS1: on nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha The server reports the following ciphers are enabled, which does not include null cipher. nssslenabledciphers: rc4::RC4::MD5::128 nssslenabledciphers: rc4export::RC4::MD5::128 nssslenabledciphers: rc2::RC2::MD5::128 nssslenabledciphers: rc2export::RC2::MD5::128 nssslenabledciphers: des::DES::MD5::64 nssslenabledciphers: desede3::3DES::MD5::192 nssslenabledciphers: rsa_rc4_128_md5::RC4::MD5::128 nssslenabledciphers: rsa_rc4_128_sha::RC4::SHA1::128 nssslenabledciphers: rsa_3des_sha::3DES::SHA1::192 nssslenabledciphers: rsa_des_sha::DES::SHA1::64 nssslenabledciphers: rsa_fips_3des_sha::3DES::SHA1::192 nssslenabledciphers: fips_3des_sha::3DES::SHA1::192 nssslenabledciphers: rsa_fips_des_sha::DES::SHA1::64 nssslenabledciphers: fips_des_sha::DES::SHA1::64 nssslenabledciphers: rsa_rc4_40_md5::RC4::MD5::128 nssslenabledciphers: rsa_rc2_40_md5::RC2::MD5::128 nssslenabledciphers: tls_rsa_export1024_with_rc4_56_sha::RC4::SHA1::128 nssslenabledciphers: rsa_rc4_56_sha::RC4::SHA1::128 nssslenabledciphers: tls_rsa_export1024_with_des_cbc_sha::DES::SHA1::64 nssslenabledciphers: rsa_des_56_sha::DES::SHA1::64 nssslenabledciphers: dhe_dss_des_sha::DES::SHA1::64 nssslenabledciphers: dhe_dss_3des_sha::3DES::SHA1::192 nssslenabledciphers: dhe_rsa_des_sha::DES::SHA1::64 nssslenabledciphers: dhe_rsa_3des_sha::3DES::SHA1::192 nssslenabledciphers: tls_rsa_aes_128_sha::AES::SHA1::128 nssslenabledciphers: rsa_aes_128_sha::AES::SHA1::128 nssslenabledciphers: tls_dhe_dss_aes_128_sha::AES::SHA1::128 nssslenabledciphers: tls_dhe_rsa_aes_128_sha::AES::SHA1::128 nssslenabledciphers: tls_rsa_aes_256_sha::AES::SHA1::256 nssslenabledciphers: rsa_aes_256_sha::AES::SHA1::256 nssslenabledciphers: tls_dhe_dss_aes_256_sha::AES::SHA1::256 nssslenabledciphers: tls_dhe_rsa_aes_256_sha::AES::SHA1::256 nssslenabledciphers: tls_dhe_dss_1024_rc4_sha::RC4::SHA1::128 nssslenabledciphers: tls_dhe_dss_rc4_128_sha::RC4::SHA1::128 Configured SSL and added the following nsSSL3ciphers. Enabled ciphers doesn't show any null ciphers. Hence, marking the bug as Verified. Build tested: [root@cloud-qe-15 ~]# rpm -qa |grep -i 389-ds-base 389-ds-base-libs-1.2.11.15-53.el6.x86_64 389-ds-base-1.2.11.15-53.el6.x86_64 [root@cloud-qe-15 ~]# cat /tmp/nullCipher.ldif dn: cn=encryption,cn=config replace: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha [root@cloud-qe-15 ~]# ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -f /tmp/nullCipher.ldif modifying entry "cn=encryption,cn=config" [root@cloud-qe-15 ~]# ldapsearch -LLL -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=encryption,cn=config" |grep -i nssslenabledciphers |grep -i null Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1326.html |