+++ This bug was initially created as a clone of Bug #1245279 +++
Description of problem:
LDAP clients (like ldapsearch) enable insecure ciphers as well as don't enable the most secure ones.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. tcpdump -i lo -U -w capture.pcap -s 0 port 22
2. ldapsearch -ZZ -H ldaps://localhost:22
3. open capture.pcap with wireshark, set the protocol type to SSL
Client Hello that advertises support for 42 ciphersuites, among them are export grade ciphers but no AES-GCM or SHA256 HMAC ciphers.
Client Hello that uses NSS default ciphers - no export grade, no single DES, but with AES-GCM and with SHA256 ciphers
--- Additional comment from Matus Honek on 2015-09-23 11:31:12 EDT ---
Commit adding new cipher suites to play along NSS default ciphers:
Commit adding checking for eNULL in DEFAULT handling:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.