Description of problem: When Windows Server 2012R2 (possibly others too) is updated with MS14-066 security update (https://support.microsoft.com/en-us/kb/2992611), NSS-enabled applications stop working with existing defaults. In particular: 1. ldapsearch fails TLS negotiation 2. python-ldap fails TLS negotiation on the other hand, openssl-based tools work. An attempt to set higher TLS level results in inconsistency: [root@rh7-1 ~]# LDAPTLS_PROTOCOL_MIN=3.3 ldapsearch -v -Z -H ldap://wdc.adx.test -D cn=winsync,cn=Users,dc=adx,dc=test -w w1nsynC1 -b cn=Users,dc=adx,dc=test ldap_initialize( ldap://wdc.adx.test:389/??base ) ldap_start_tls: Connect error (-11) additional info: TLS error -5961:TCP connection reset by peer ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@rh7-1 ~]# LDAPTLS_PROTOCOL_MIN=3.2 ldapsearch -v -Z -H ldap://wdc.adx.test -D cn=winsync,cn=Users,dc=adx,dc=test -w w1nsynC1 -b cn=Users,dc=adx,dc=test ldap_initialize( ldap://wdc.adx.test:389/??base ) ldap_start_tls: Connect error (-11) additional info: TLS error -5961:TCP connection reset by peer ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@rh7-1 ~]# LDAPTLS_PROTOCOL_MIN=3.1 ldapsearch -v -Z -H ldap://wdc.adx.test -D cn=winsync,cn=Users,dc=adx,dc=test -w w1nsynC1 -b cn=Users,dc=adx,dc=test ldap_initialize( ldap://wdc.adx.test:389/??base ) ldap_start_tls: Connect error (-11) additional info: TLS error -5961:TCP connection reset by peer ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@rh7-1 ~]# LDAPTLS_PROTOCOL_MIN=3.0 ldapsearch -v -Z -H ldap://wdc.adx.test -D cn=winsync,cn=Users,dc=adx,dc=test -w w1nsynC1 -b cn=Users,dc=adx,dc=test ldap_initialize( ldap://wdc.adx.test:389/??base ) ldap_start_tls: Connect error (-11) additional info: TLS error -5961:TCP connection reset by peer ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@rh7-1 ~]# LDAPTLS_PROTOCOL_MIN=3.4 ldapsearch -v -Z -H ldap://wdc.adx.test -D cn=winsync,cn=Users,dc=adx,dc=test -w w1nsynC1 -b cn=Users,dc=adx,dc=test ldap_initialize( ldap://wdc.adx.test:389/??base ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <cn=Users,dc=adx,dc=test> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Users, adx.test dn: CN=Users,DC=adx,DC=test objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=adx,DC=test instanceType: 4 whenCreated: 20140930130851.0Z whenChanged: 20140930130851.0Z uSNCreated: 5821 uSNChanged: 5821 showInAdvancedViewOnly: FALSE name: Users objectGUID:: se/9dpqxKkKfaoQrtU8KBQ== systemFlags: -1946157056 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=adx,DC=test isCriticalSystemObject: TRUE dSCorePropagationData: 20140930130930.0Z dSCorePropagationData: 16010101000001.0Z
This is the related upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1155922
I expect this to be fixed once we pick up NSS 3.19
This has been fixed as part of publishing updates to NSS 3.19.1