Bug 1230996 - nsSSL3Ciphers preference not enforced server side (regression)
Summary: nsSSL3Ciphers preference not enforced server side (regression)
Keywords:
Status: CLOSED DUPLICATE of bug 1232101
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: CVE-2015-3230
TreeView+ depends on / blocked
 
Reported: 2015-06-12 01:20 UTC by Noriko Hosoi
Modified: 2015-07-15 14:28 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.3.4.0-6.el7
Doc Type: Bug Fix
Doc Text:
Cause: A fix made in 389-ds-base-1.3.3.1-4 introduced a regression that an sslSocket was created prior to setting the default cipher preferences. Consequence: The cipher preferences were not set to the sslSocket. Fix: Moved the sslSocket creation after setting the cipher preferences. Result: The sslSocket correctly inherits the default cipher preferences.
Clone Of:
Environment:
Last Closed: 2015-07-15 14:28:26 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2351 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2015-11-19 10:28:44 UTC

Description Noriko Hosoi 2015-06-12 01:20:20 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48194

While trying to disable RC4 ciphers I came to notice that while nss default preferences seem to being set up correctly I can still connect to 389 using 'disabled' ciphers. This is on a fully patched Centos7 install with 389-ds-base-1.3.3.1-16.el7_1.x86_64.

Relevant Section of the dse config:
nsSSL3Ciphers: +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_
 128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_25
 6_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_CBC_
 SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+T
 LS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_
 WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_C
 BC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_NULL_MD5,-TLS_RSA_WITH_
 RC4_128_MD5


As expected this results in disabling among others rc4 (this is the output of the log):
[09/Jun/2015:18:06:31 +0000] - SSL alert: Configured NSS Ciphers
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_ECDSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_SEED_CBC_SHA: disabled
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_3DES_EDE_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_RC4_128_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_RC4_128_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_RSA_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_DHE_DSS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_RSA_FIPS_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_EXPORT_WITH_RC4_40_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_ECDSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDHE_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_ECDH_ECDSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_NULL_SHA: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_NULL_SHA256: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	TLS_RSA_WITH_NULL_MD5: disabled, (MUST BE DISABLED)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_RC4_128_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_RC2_128_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_DES_192_EDE3_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_DES_64_CBC_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_RC4_128_EXPORT40_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - SSL alert: 	SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5: disabled, (WEAK CIPHER)
[09/Jun/2015:18:06:31 +0000] - 389-Directory/1.3.3.1 B2015.118.1941 starting up


However when connecting with ssl I succeed:
openssl s_client -connect localhost:636 -cipher RC4-SHA

.....
---
SSL handshake has read 5015 bytes and written 427 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : RC4-SHA
    Session-ID: 0D92E8D6919DFD52359B8C81938E221408124796BA2D7ADA05D351DCA83D02AB
    Session-ID-ctx: 
    Master-Key: 6E48D87A2E185B7E0A0CCB324DE426F971C0AD3BA2041294E2DED0D0F6C11F6FE7D8FDE9A6E920E93C921C6E635135B7
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1433873485
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
^C

and even nmap:
nmap --script ssl-enum-ciphers -p 636 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-09 18:08 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000026s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

The setting did worked in 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64 (centos 6.6).


Note You need to log in before you can comment on or make changes to this bug.