Bug 1817505

Summary: Allowing specific cipher will remove all enabled ciphers if 'default ciphers' is clicked
Product: Red Hat Directory Server Reporter: sgouvern
Component: 389-ds-baseAssignee: Simon Pichugin <spichugi>
Status: CLOSED CURRENTRELEASE QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: high Docs Contact: Evgenia Martynyuk <emartyny>
Priority: high    
Version: 11.2CC: ldap-maint, mreynolds, pasik, spichugi, tbordaz, vashirov
Target Milestone: DS11.3Keywords: Triaged
Target Release: dirsrv-11.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
.You can now enable and disable ciphers in Directory Server as expected Previously, when you tried to enable or disable specific ciphers in addition to default ciphers by using the web console, the server enabled or disabled only the specific ciphers and logged an error similar to the following: ---- Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,+cipher_name>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error) ---- Currently, the network security services (NSS) do not support handling default ciphers and specific ciphers at the same time. As a result, Directory Server can enable or disable either specific ciphers or default ciphers. With this update, when you set the default ciphers, the web console now prompts that *Allow Specific Ciphers* and *Deny Specific Ciphers* fields will be cleared.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-01 16:36:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description sgouvern 2020-03-26 13:08:46 UTC 
Description of problem:
On 'Server Settings'/'Security'/'Cipher preferences' tab, allowing a specific cipher will remove all enabled cipher, if 'default ciphers' is selected after that.


Version-Release number of selected component (if applicable):
cockpit-389-ds-1.4.2.9-1.module+el8dsrv+6001+1cbc6dcf.noarch


How reproducible:
always

Steps to Reproduce:
1. Go to 'Server Settings'/'Security'/'Cipher preferences'
2. Select a cipher in 'allow specific ciphers' list
3. click 'Default ciphers'
3. 'Save cipher preferences' 
4. restart the instance
5. Come back to 'Server Settings'/'Security'/'Cipher preferences'

Actual results:
The 'Enabled ciphers' list is empty

Expected results:
Enabled ciphers are default ones plus added allowed specific cipher

Additional info: 
A search of the list of enabled ciphers with dsconf will show : 'List of ciphers is empty'
Comment 1 mreynolds 2020-03-30 14:17:45 UTC 
This isn't a problem with the UI or CLI, itis what is reported by NSS.  Moving to different component to investigate as the root cause is not the UI
Comment 6 sgouvern 2021-05-07 07:58:44 UTC 
Moving to ITM 14 as it is not yet started