1150368 – Unable to disable Null Ciphers on 389-Directory-Server using nsSSL3Ciphers in Ldif

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1150368 - Unable to disable Null Ciphers on 389-Directory-Server using nsSSL3Ciphers in Ldif

Summary: Unable to disable Null Ciphers on 389-Directory-Server using nsSSL3Ciphers in...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	6.5
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Noriko Hosoi
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-08 05:05 UTC by amd
Modified:	2015-07-22 06:35 UTC (History)
CC List:	5 users (show)
Fixed In Version:	389-ds-base-1.2.11.15-51.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:	1. CentOS release 6.5 (Final). 2. Linux 2.6.32-431.29.2.el6.i686 #1 SMP Tue Sep 9 20:14:52 UTC 2014 i686 i686 i386 GNU/Linux. 3. ipa-server-3.0.0-37.el6.i686
Last Closed:	2015-07-22 06:35:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1326	0	normal	SHIPPED_LIVE	389-ds-base bug fix and enhancement update	2015-07-20 17:53:07 UTC

Description amd 2014-10-08 05:05:43 UTC

Description of problem: Installed FreeIPA on CentOS host using YUM. 389-DS was installed as a depedency. Edited /etc/dirsrv/slapd-<REALM>/dse.ldif files to disable Null ciphers, but Nessus scans still indicate Null Cipher on 389 and 636 LDAP ports.

Version-Release number of selected component (if applicable): 389-ds-base.i686 1.2.11.15-34.el6_5

How reproducible: Easy.

Steps to Reproduce:
1. Install FreeIPA server on a CentOS host - 'yum install ipa-server'.
2. Stop IPA using - /etc/init.d/ipa stop
3. edit nsSSL3Ciphers in the following 2 files - 
	/etc/dirsrv/slapd-PKI-IPA/dse.ldif
	/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
4. nsSSL3Ciphers should look like this - 
	nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
	  +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
	  rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
	  a_export1024_with_des_cbc_sha

5. Start IPA using - /etc/init.d/ipa start
2. Scan ports on this host using Nessus or other security/port scanner.
3. Scan results show Weak and Null ciphers being used on port 389 and port 636.

Actual results:
Nessus scan results - 

	TLSv1
	  EXP-RC2-CBC-MD5              Kx=RSA(512)    Au=RSA      Enc=RC2-CBC(40)          Mac=MD5    export     
	  EXP-RC4-MD5                  Kx=RSA(512)    Au=RSA      Enc=RC4(40)              Mac=MD5    export     

	TLSv1
	  EXP1024-DES-CBC-SHA          Kx=RSA(1024)   Au=RSA      Enc=DES-CBC(56)          Mac=SHA1   export     
	  EXP1024-RC4-SHA              Kx=RSA(1024)   Au=RSA      Enc=RC4(56)              Mac=SHA1   export     
	  DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-CBC(56)          Mac=SHA1   

	TLSv1
	  NULL-SHA                     Kx=RSA         Au=RSA      Enc=None                 Mac=SHA1   
	Port
	389 / tcp / ldap 	
	636 / tcp / ldap 	


Expected results:
No Null or Weak Ciphers

Additional info:
CentOS release 6.5 (Final).
Linux 2.6.32-431.29.2.el6.i686 #1 SMP Tue Sep 9 20:14:52 UTC 2014 i686 i686 i386 GNU/Linux.

Comment 1 amd 2014-10-08 05:11:10 UTC

Environment - 
1. CentOS release 6.5 (Final).
2. Linux 2.6.32-431.29.2.el6.i686 #1 SMP Tue Sep 9 20:14:52 3. UTC 2014 i686 i686 i386 GNU/Linux.
ipa-server-3.0.0-37.el6.i686


Dependencies - 

[root]# yum deplist ipa-server
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: mirror.ash.fastserv.com
 * epel: mirror.symnds.com
 * extras: ftp.linux.ncsu.edu
 * updates: centos.aol.com
Finding dependencies:
package: ipa-server.i686 3.0.0-37.el6
  dependency: python(abi) = 2.6
   provider: python.i686 2.6.6-51.el6
   provider: python.i686 2.6.6-52.el6
  dependency: acl
   provider: acl.i686 2.2.49-6.el6
  dependency: krb5-server < 1.11
   provider: krb5-server.i686 1.10.3-10.el6_4.6
   provider: krb5-server.i686 1.10.3-15.el6_5.1
  dependency: zip
   provider: zip.i686 3.0-1.el6
  dependency: ipa-server-selinux = 3.0.0-37.el6
   provider: ipa-server-selinux.i686 3.0.0-37.el6
  dependency: nss-tools
   provider: nss-tools.i686 3.15.1-15.el6
   provider: nss-tools.i686 3.15.3-2.el6_5
   provider: nss-tools.i686 3.15.3-3.el6_5
   provider: nss-tools.i686 3.15.3-6.el6_5
   provider: nss-tools.i686 3.16.1-4.el6_5
   provider: nss-tools.i686 3.16.1-7.el6_5
  dependency: libcrypto.so.10(libcrypto.so.10)
   provider: openssl.i686 1.0.1e-15.el6
   provider: openssl.i686 1.0.1e-16.el6_5.1
   provider: openssl.i686 1.0.1e-16.el6_5.14
   provider: openssl.i686 1.0.1e-16.el6_5.15
   provider: openssl.i686 1.0.1e-16.el6_5.4.0.1.centos
   provider: openssl.i686 1.0.1e-16.el6_5.4
   provider: openssl.i686 1.0.1e-16.el6_5.7
   provider: openssl.i686 1.0.1e-16.el6_5
  dependency: mod_nss >= 1.0.8-18
   provider: mod_nss.i686 1.0.8-18.el6
   provider: mod_nss.i686 1.0.8-19.el6_5
  dependency: libndr-nbt.so.0(NDR_NBT_0.0.1)
   provider: samba4-libs.i686 4.0.0-58.el6.rc4
   provider: samba4-libs.i686 4.0.0-60.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-61.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-63.el6_5.rc4
  dependency: /usr/bin/python
   provider: python.i686 2.6.6-51.el6
   provider: python.i686 2.6.6-52.el6
  dependency: ipa-python = 3.0.0-37.el6
   provider: ipa-python.i686 3.0.0-37.el6
  dependency: libndr.so.0(NDR_0.0.1)
   provider: samba4-libs.i686 4.0.0-58.el6.rc4
   provider: samba4-libs.i686 4.0.0-60.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-61.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-63.el6_5.rc4
  dependency: libkrb5.so.3(krb5_3_MIT)
   provider: krb5-libs.i686 1.10.3-10.el6_4.6
   provider: krb5-libs.i686 1.10.3-15.el6_5.1
  dependency: libcom_err.so.2
   provider: libcom_err.i686 1.41.12-18.el6
   provider: libcom_err.i686 1.41.12-18.el6_5.1
  dependency: cyrus-sasl-gssapi(x86-32)
   provider: cyrus-sasl-gssapi.i686 2.1.23-13.el6_3.1
  dependency: /bin/sh
   provider: bash.i686 4.1.2-15.el6_4
   provider: bash.i686 4.1.2-15.el6_5.2
   provider: bash.i686 4.1.2-15.el6_5.1
  dependency: policycoreutils >= 2.0.83-19.24
   provider: policycoreutils.i686 2.0.83-19.39.el6
  dependency: libtalloc.so.2
   provider: libtalloc.i686 2.0.7-2.el6
  dependency: libcrypto.so.10
   provider: openssl.i686 1.0.1e-15.el6
   provider: openssl.i686 1.0.1e-16.el6_5.1
   provider: openssl.i686 1.0.1e-16.el6_5.14
   provider: openssl.i686 1.0.1e-16.el6_5.15
   provider: openssl.i686 1.0.1e-16.el6_5.4.0.1.centos
   provider: openssl.i686 1.0.1e-16.el6_5.4
   provider: openssl.i686 1.0.1e-16.el6_5.7
   provider: openssl.i686 1.0.1e-16.el6_5
  dependency: libuuid.so.1(UUID_1.0)
   provider: libuuid.i686 2.17.2-12.14.el6
   provider: libuuid.i686 2.17.2-12.14.el6_5
  dependency: libkrb5.so.3
   provider: krb5-libs.i686 1.10.3-10.el6_4.6
   provider: krb5-libs.i686 1.10.3-15.el6_5.1
  dependency: initscripts
   provider: initscripts.i686 9.03.40-2.el6.centos
   provider: initscripts.i686 9.03.40-2.el6.centos.1
   provider: initscripts.i686 9.03.40-2.el6.centos.2
   provider: initscripts.i686 9.03.40-2.el6.centos.3
   provider: initscripts.i686 9.03.40-2.el6.centos.4
  dependency: libk5crypto.so.3(k5crypto_3_MIT)
   provider: krb5-libs.i686 1.10.3-10.el6_4.6
   provider: krb5-libs.i686 1.10.3-15.el6_5.1
  dependency: libndr-nbt.so.0
   provider: samba4-libs.i686 4.0.0-58.el6.rc4
   provider: samba4-libs.i686 4.0.0-60.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-61.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-63.el6_5.rc4
  dependency: ipa-admintools = 3.0.0-37.el6
   provider: ipa-admintools.i686 3.0.0-37.el6
  dependency: slapi-nis >= 0.40
   provider: slapi-nis.i686 0.40-4.el6
  dependency: 389-ds-base >= 1.2.11.15-14
   provider: 389-ds-base.i686 1.2.11.15-29.el6
   provider: 389-ds-base.i686 1.2.11.15-30.el6_5
   provider: 389-ds-base.i686 1.2.11.15-31.el6_5
   provider: 389-ds-base.i686 1.2.11.15-32.el6_5
   provider: 389-ds-base.i686 1.2.11.15-33.el6_5
   provider: 389-ds-base.i686 1.2.11.15-34.el6_5
  dependency: keyutils
   provider: keyutils.i686 1.4-4.el6
  dependency: python-krbV
   provider: python-krbV.i686 1.0.90-1.el6
   provider: python-krbV.i686 1.0.90-3.el6
  dependency: python-ldap
   provider: python-ldap.i686 2.3.10-1.el6
  dependency: openssh-clients
   provider: openssh-clients.i686 5.3p1-94.el6
  dependency: selinux-policy-base
   provider: selinux-policy-minimum.noarch 3.7.19-231.el6
   provider: selinux-policy-mls.noarch 3.7.19-231.el6
   provider: selinux-policy-targeted.noarch 3.7.19-231.el6
   provider: selinux-policy-minimum.noarch 3.7.19-231.el6_5.1
   provider: selinux-policy-minimum.noarch 3.7.19-231.el6_5.3
   provider: selinux-policy-mls.noarch 3.7.19-231.el6_5.1
   provider: selinux-policy-mls.noarch 3.7.19-231.el6_5.3
   provider: selinux-policy-targeted.noarch 3.7.19-231.el6_5.1
   provider: selinux-policy-targeted.noarch 3.7.19-231.el6_5.3
  dependency: libndr-krb5pac.so.0
   provider: samba4-libs.i686 4.0.0-58.el6.rc4
   provider: samba4-libs.i686 4.0.0-60.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-61.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-63.el6_5.rc4
  dependency: pki-ca >= 9.0.3-30
   provider: pki-ca.noarch 9.0.3-32.el6
  dependency: nss
   provider: nss.i686 3.15.1-15.el6
   provider: nss.i686 3.15.3-2.el6_5
   provider: nss.i686 3.15.3-3.el6_5
   provider: nss.i686 3.15.3-6.el6_5
   provider: nss.i686 3.16.1-4.el6_5
   provider: nss.i686 3.16.1-7.el6_5
  dependency: chkconfig
   provider: chkconfig.i686 1.3.49.3-2.el6_4.1
  dependency: krb5-server >= 1.10
   provider: krb5-server.i686 1.10.3-10.el6_4.6
   provider: krb5-server.i686 1.10.3-15.el6_5.1
  dependency: libc.so.6(GLIBC_2.8)
   provider: glibc.i686 2.12-1.132.el6
   provider: glibc.i686 2.12-1.132.el6_5.1
   provider: glibc.i686 2.12-1.132.el6_5.2
   provider: glibc.i686 2.12-1.132.el6_5.3
   provider: glibc.i686 2.12-1.132.el6_5.4
  dependency: libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)
   provider: samba4-libs.i686 4.0.0-58.el6.rc4
   provider: samba4-libs.i686 4.0.0-60.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-61.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-63.el6_5.rc4
  dependency: selinux-policy >= 3.7.19-193
   provider: selinux-policy.noarch 3.7.19-231.el6
   provider: selinux-policy.noarch 3.7.19-231.el6_5.1
   provider: selinux-policy.noarch 3.7.19-231.el6_5.3
  dependency: rtld(GNU_HASH)
   provider: glibc.i686 2.12-1.132.el6
   provider: glibc.i686 2.12-1.132.el6_5.1
   provider: glibc.i686 2.12-1.132.el6_5.2
   provider: glibc.i686 2.12-1.132.el6_5.3
   provider: glibc.i686 2.12-1.132.el6_5.4
  dependency: liblber-2.4.so.2
   provider: openldap.i686 2.4.23-32.el6_4.1
   provider: openldap.i686 2.4.23-34.el6_5.1
  dependency: ipa-client = 3.0.0-37.el6
   provider: ipa-client.i686 3.0.0-37.el6
  dependency: ipa-pki-common-theme
   provider: ipa-pki-common-theme.noarch 9.0.3-7.el6
  dependency: pki-setup >= 9.0.3-30
   provider: pki-setup.noarch 9.0.3-32.el6
  dependency: ipa-pki-ca-theme
   provider: ipa-pki-ca-theme.noarch 9.0.3-7.el6
  dependency: libsamba-util.so.0
   provider: samba4-libs.i686 4.0.0-58.el6.rc4
   provider: samba4-libs.i686 4.0.0-60.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-61.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-63.el6_5.rc4
  dependency: python-memcached >= 1.43-6
   provider: python-memcached.noarch 1.43-6.el6
  dependency: openldap-clients
   provider: openldap-clients.i686 2.4.23-32.el6_4.1
   provider: openldap-clients.i686 2.4.23-34.el6_5.1
  dependency: libndr.so.0
   provider: samba4-libs.i686 4.0.0-58.el6.rc4
   provider: samba4-libs.i686 4.0.0-60.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-61.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-63.el6_5.rc4
  dependency: libtalloc.so.2(TALLOC_2.0.2)
   provider: libtalloc.i686 2.0.7-2.el6
  dependency: python
   provider: python.i686 2.6.6-51.el6
   provider: python.i686 2.6.6-52.el6
  dependency: ntp
   provider: ntp.i686 4.2.6p5-1.el6.centos
  dependency: memcached
   provider: memcached.i686 1.4.4-3.el6
  dependency: mod_auth_kerb >= 5.4-8
   provider: mod_auth_kerb.i686 5.4-10.el6
  dependency: mod_wsgi
   provider: mod_wsgi.i686 3.2-3.el6
   provider: mod_wsgi.i686 3.2-6.el6_5
  dependency: pki-silent >= 9.0.3-30
   provider: pki-silent.noarch 9.0.3-32.el6
  dependency: httpd >= httpd-2.2.15-24
   provider: httpd.i686 2.2.15-29.el6.centos
   provider: httpd.i686 2.2.15-30.el6.centos
   provider: httpd.i686 2.2.15-31.el6.centos
  dependency: libtevent.so.0
   provider: libtevent.i686 0.9.18-3.el6
  dependency: libuuid.so.1
   provider: libuuid.i686 2.17.2-12.14.el6
   provider: libuuid.i686 2.17.2-12.14.el6_5
  dependency: libsamba-util.so.0(SAMBA_UTIL_0.0.1)
   provider: samba4-libs.i686 4.0.0-58.el6.rc4
   provider: samba4-libs.i686 4.0.0-60.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-61.el6_5.rc4
   provider: samba4-libs.i686 4.0.0-63.el6_5.rc4
  dependency: libldap_r-2.4.so.2
   provider: openldap.i686 2.4.23-32.el6_4.1
   provider: openldap.i686 2.4.23-34.el6_5.1
  dependency: python-pyasn1 >= 0.0.9a
   provider: python-pyasn1.noarch 0.0.12a-1.el6
  dependency: libk5crypto.so.3
   provider: krb5-libs.i686 1.10.3-10.el6_4.6
   provider: krb5-libs.i686 1.10.3-15.el6_5.1
  dependency: certmonger >= 0.61-3
   provider: certmonger.i686 0.61-3.el6
[root]#

Comment 3 Noriko Hosoi 2015-01-08 02:32:12 UTC

With the fixes for
  DS 47928
  DS 47945
  DS 47880,
configured the server as follows:
 dn: cn=encryption,cn=config
 nsSSL3: off
 nsTLS1: on
 nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
  +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
  rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
  a_export1024_with_des_cbc_sha

The server reports the following ciphers are enabled, which does not include null cipher.
nssslenabledciphers: rc4::RC4::MD5::128
nssslenabledciphers: rc4export::RC4::MD5::128
nssslenabledciphers: rc2::RC2::MD5::128
nssslenabledciphers: rc2export::RC2::MD5::128
nssslenabledciphers: des::DES::MD5::64
nssslenabledciphers: desede3::3DES::MD5::192
nssslenabledciphers: rsa_rc4_128_md5::RC4::MD5::128
nssslenabledciphers: rsa_rc4_128_sha::RC4::SHA1::128
nssslenabledciphers: rsa_3des_sha::3DES::SHA1::192
nssslenabledciphers: rsa_des_sha::DES::SHA1::64
nssslenabledciphers: rsa_fips_3des_sha::3DES::SHA1::192
nssslenabledciphers: fips_3des_sha::3DES::SHA1::192
nssslenabledciphers: rsa_fips_des_sha::DES::SHA1::64
nssslenabledciphers: fips_des_sha::DES::SHA1::64
nssslenabledciphers: rsa_rc4_40_md5::RC4::MD5::128
nssslenabledciphers: rsa_rc2_40_md5::RC2::MD5::128
nssslenabledciphers: tls_rsa_export1024_with_rc4_56_sha::RC4::SHA1::128
nssslenabledciphers: rsa_rc4_56_sha::RC4::SHA1::128
nssslenabledciphers: tls_rsa_export1024_with_des_cbc_sha::DES::SHA1::64
nssslenabledciphers: rsa_des_56_sha::DES::SHA1::64
nssslenabledciphers: dhe_dss_des_sha::DES::SHA1::64
nssslenabledciphers: dhe_dss_3des_sha::3DES::SHA1::192
nssslenabledciphers: dhe_rsa_des_sha::DES::SHA1::64
nssslenabledciphers: dhe_rsa_3des_sha::3DES::SHA1::192
nssslenabledciphers: tls_rsa_aes_128_sha::AES::SHA1::128
nssslenabledciphers: rsa_aes_128_sha::AES::SHA1::128
nssslenabledciphers: tls_dhe_dss_aes_128_sha::AES::SHA1::128
nssslenabledciphers: tls_dhe_rsa_aes_128_sha::AES::SHA1::128
nssslenabledciphers: tls_rsa_aes_256_sha::AES::SHA1::256
nssslenabledciphers: rsa_aes_256_sha::AES::SHA1::256
nssslenabledciphers: tls_dhe_dss_aes_256_sha::AES::SHA1::256
nssslenabledciphers: tls_dhe_rsa_aes_256_sha::AES::SHA1::256
nssslenabledciphers: tls_dhe_dss_1024_rc4_sha::RC4::SHA1::128
nssslenabledciphers: tls_dhe_dss_rc4_128_sha::RC4::SHA1::128

Comment 5 Sankar Ramalingam 2015-03-29 09:59:24 UTC

Configured SSL and added the following nsSSL3ciphers. Enabled ciphers doesn't show any null ciphers. Hence, marking the bug as Verified.

Build tested:
[root@cloud-qe-15 ~]# rpm -qa |grep -i 389-ds-base
389-ds-base-libs-1.2.11.15-53.el6.x86_64
389-ds-base-1.2.11.15-53.el6.x86_64

[root@cloud-qe-15 ~]# cat /tmp/nullCipher.ldif 
dn: cn=encryption,cn=config
replace: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
[root@cloud-qe-15 ~]# ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -f /tmp/nullCipher.ldif 
modifying entry "cn=encryption,cn=config"

[root@cloud-qe-15 ~]# ldapsearch -LLL -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=encryption,cn=config"  |grep -i nssslenabledciphers |grep -i null

Comment 6 errata-xmlrpc 2015-07-22 06:35:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1326.html

Note You need to log in before you can comment on or make changes to this bug.