Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1230996

Summary: nsSSL3Ciphers preference not enforced server side (regression)
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED DUPLICATE QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0CC: fweimer, nkinder, rmeggins, vkaigoro
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.4.0-6.el7 Doc Type: Bug Fix
Doc Text:
Cause: A fix made in 389-ds-base-1.3.3.1-4 introduced a regression that an sslSocket was created prior to setting the default cipher preferences. Consequence: The cipher preferences were not set to the sslSocket. Fix: Moved the sslSocket creation after setting the cipher preferences. Result: The sslSocket correctly inherits the default cipher preferences.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-15 14:28:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1232096    

Description Noriko Hosoi 2015-06-12 01:20:20 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48194

While trying to disable RC4 ciphers I came to notice that while nss default preferences seem to being set up correctly I can still connect to 389 using 'disabled' ciphers. This is on a fully patched Centos7 install with 389-ds-base-1.3.3.1-16.el7_1.x86_64.

Relevant Section of the dse config:
nsSSL3Ciphers: +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_
 128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_25
 6_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_CBC_
 SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+T
 LS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_
 WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_C
 BC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_NULL_MD5,-TLS_RSA_WITH_
 RC4_128_MD5


As expected this results in disabling among others rc4 (this is the output of the log):
[09/Jun/2015:18:06:31 +0000] - SSL alert: Configured NSS Ciphers
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_ECDSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_SEED_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_RC4_128_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_RSA_FIPS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_EXPORT_WITH_RC4_40_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_ECDSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_NULL_SHA256: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_NULL_MD5: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_RC4_128_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_RC2_128_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_DES_192_EDE3_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_DES_64_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_RC4_128_EXPORT40_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - 389-Directory/1.3.3.1 B2015.118.1941 starting up


However when connecting with ssl I succeed:
openssl s_client -connect localhost:636 -cipher RC4-SHA

.....
---
SSL handshake has read 5015 bytes and written 427 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : RC4-SHA
    Session-ID: 0D92E8D6919DFD52359B8C81938E221408124796BA2D7ADA05D351DCA83D02AB
    Session-ID-ctx: 
    Master-Key: 6E48D87A2E185B7E0A0CCB324DE426F971C0AD3BA2041294E2DED0D0F6C11F6FE7D8FDE9A6E920E93C921C6E635135B7
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1433873485
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
^C

and even nmap:
nmap --script ssl-enum-ciphers -p 636 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-09 18:08 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000026s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

The setting did worked in 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64 (centos 6.6).
Comment 1 Noriko Hosoi 2015-06-12 21:25:57 UTC 
For verification, CI test is available.

https://fedorahosted.org/389/attachment/ticket/48194/0001-Ticket-48194-CI-test-added-test-cases-for-ticket-481.patch