Bug 2278695

Summary: Not able to remove cipher's from Directory Server
Product: Red Hat Directory Server Reporter: Eugene Keck <ekeck>
Component: 389-ds-baseAssignee: LDAP Maintainers <idm-ds-dev-bugs>
Status: CLOSED MIGRATED QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: high Docs Contact: Evgenia Martynyuk <emartyny>
Priority: high    
Version: 11.8CC: idm-ds-dev-bugs, tbordaz, vashirov
Target Milestone: DS12.5Keywords: Triaged
Target Release: dirsrv-12.5   
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-06-26 13:51:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eugene Keck 2024-05-02 19:22:54 UTC 
Description of problem:
 Not able to remove cipher's

Version-Release number of selected component (if applicable):
 389-ds-base-1.4.3.37-2.module+el8.9.0+20974+3405b7e6.x86_64

How reproducible:
 Always

Steps to Reproduce:
 1. dsconf EXAMPLE-LOCAL security ciphers disable "TLS_RSA_WITH_AES_256_GCM_SHA384"
 2. dsctl EXAMPLE-LOCAL  restart

Actual results:
 WARN - Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,-TLS_RSA_WITH_AES_256_GCM_SHA384>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error)

Expected results:
 Disable cipher and not break SSL/TLS

Additional info:
 Did test all the following and each one gave the same error

 # dsconf EXAMPLE-LOCAL security ciphers disable "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
 # dsconf EXAMPLE-LOCAL security ciphers disable "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"
 # dsconf EXAMPLE-LOCAL security ciphers disable "TLS_RSA_WITH_AES_256_GCM_SHA384"

 Which dose match

 # dsconf EXAMPLE-LOCAL  security ciphers list --supported | grep TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

 # dsconf EXAMPLE-LOCAL  security ciphers list --supported | grep TLS_RSA_WITH_AES_256_GCM_SHA384
 TLS_RSA_WITH_AES_256_GCM_SHA384

 # dsconf EXAMPLE-LOCAL  security ciphers list --supported | grep TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

 Also tried

 nsSSL3Ciphers: +default,-TLS_RSA_WITH_AES_256_GCM_SHA384
 nsSSL3Ciphers: -TLS_RSA_WITH_AES_256_GCM_SHA384

 Which also failed the same as

 nsSSL3Ciphers: default,-TLS_RSA_WITH_AES_256_GCM_SHA384
Comment 2 Viktor Ashirov 2024-06-26 13:51:28 UTC 
This BZ has been automatically migrated to Red Hat Issue Tracker https://issues.redhat.com/browse/DIRSRV-77. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.