Bug 1353714

Summary: If a cipher is disabled, do not attempt to look it up
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: nkinder, rmeggins, spichugi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.5.10-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 20:43:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Noriko Hosoi 2016-07-07 19:30:53 UTC 
Description of problem:

Description:  Even if a SSL cipher is disabled the server still attempts
              to locate the cipher in the security library.  If the disabled
              cipher is unknown it logs a warning ast server startup, but
              if it's disabled there is no reason to check if it exists.

https://fedorahosted.org/389/ticket/48743
Comment 1 mreynolds 2016-07-07 19:55:16 UTC 
Fixed upstream
Comment 3 Simon Pichugin 2016-07-29 14:03:24 UTC 
Build tested:
389-ds-base-1.3.5.10-5.el7.x86_64

Verification steps:
1. Setup RHDS

2. Enable SSL/TLS as per the Admin Guide sec. 7.4 using the Admin Console

3. Use the default ciphers as part of the SSL/TLS enablement (fortezza family is enabled)

4. Check errors log for SSL alert about fortezza:
[root@rhel-dev slapd-rhel-dev]# grep fortezza /var/log/dirsrv/slapd-rhel-dev/errors
[29/Jul/2016:15:57:44.470979041 +0200] SSL alert: Cipher suite fortezza_null is not available in NSS 3.21.  Ignoring fortezza_null
[29/Jul/2016:15:57:44.504161610 +0200] SSL alert: Cipher suite fortezza is not available in NSS 3.21.  Ignoring fortezza
[29/Jul/2016:15:57:44.509658458 +0200] SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.21.  Ignoring fortezza_rc4_128_sha

5. Disable fortezza family using the Admin Console

6. Check errors log for SSL alert about fortezza:
[root@rhel-dev slapd-rhel-dev]# grep fortezza /var/log/dirsrv/slapd-rhel-dev/errors
[root@rhel-dev slapd-rhel-dev]# echo $?
1

Result: server doesn't check for disabled ciphers.
Marking as verified.
Comment 5 errata-xmlrpc 2016-11-03 20:43:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html