Hide Forgot
Description of problem: sorry for the lack of investigation here. We have seen at least three customers that, after updating the nss component, have client applications failing to connect to server. Most of them are using java applications with java7. And in some cases the ciphers Diffie–Hellman key exchange (D–H) seems to be the root cause. In some cases, this has been solved by disabling the former alg. from client application. In case of Apache Directory Studio, java8 solved the issue. I am logging this bug for tracking purposes. Feel free to close it if it's not considered a bug but a tuning issue + documentation to send to customer about changes in the ciphers. Version-Release number of selected component (if applicable): nss-util-3.21.0-0.3.el6_7.x86_64 nss-3.21.0-0.3.el6_7.x86_64 389-ds-base-libs-1.2.11.15-72.el6_7.x86_64 389-ds-base-1.2.11.15-72.el6_7.x86_64
We have the same problem with the IBM webapplication server (WebSphere). There the Java 1.6 can not connect after the update. It also seams, that the priority of the cipher has changed. With the old nss (3.19.1-8.el6_7.x86_64) the connection is "AES128-GCM-SHA256" and after the update (3.21.0-0.3.el6_7.x86_64) it is changed to "DHE-RSA-AES128-GCM-SHA256". The new cipher need a diffie hellman parameter and this is 2048. The old java can only use 1024 and the connection fails. Is there any way to change the order of the cipher back to the older behavior?
Hi Gerald, a workaround has been given privately in this bug report. Either you change ciphers in RHDS disabling dhe ones: under dn: cn=encryption,cn=config append to the attribute called nsSSL3Ciphers the following spec: ,-tls_dhe_rsa_aes_128_sha,-tls_dhe_rsa_aes_256_sha or you could run java using: -Djdk.tls.ephemeralDHKeySize=2048 but this has been tested in java 7 only. thanks and regards, German.
(In reply to German Parente from comment #18) > > or you could run java using: > > -Djdk.tls.ephemeralDHKeySize=2048 > > but this has been tested in java 7 only. That'd be the perfect workaround although it seems it was introduced in Java 7. 7u85 Update Release Notes http://www.oracle.com/technetwork/java/javase/7u85-relnotes-2587591.html Support stronger strength ephemeral DH keys in the SunJSSE provider The ephemeral DH key size now defaults to 1024 bits during SSL/TLS handshaking in the SunJSSE provider. A new system property, "jdk.tls.ephemeralDHKeySize", is defined to customize the ephemeral DH key sizes. This can be set to "legacy" if the older JDK behavior (DH keysize of 768 bits) is desired. The DH key size for exportable ciphersuites remains at 512 bits.
in reply to the comment https://bugzilla.redhat.com/show_bug.cgi?id=1327065#c17 if the requirement is to keep weaker ciphers, about the RHDS workaround, you may also need to disable tls_dhe_rsa_with_aes_128_gcm_sha256
Thx to all for the workaround. I disabled the 3 named ciphers but the connection was still "DHE-RSA-AES128-GCM-SHA256" with dh 2048. So i removed one cipher after another to get the old Java 1.6 back to work. The impact to the security was to much, so i reverted back to the nss downgrade for the moment. There is also a ticket on the 389-ds list: https://fedorahosted.org/389/ticket/48798 According to our tests the parameter "-Djdk.tls.ephemeralDHKeySize=2048" didn't work with the old Java 1.6 clients.
Hi Gerald, thanks for your feedback. The list of all ciphers in nss component can be found here: http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html So, if we want to disable all DH ciphers, the list should be: -TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, -TLS_DHE_DSS_WITH_AES_128_CBC_SHA, -TLS_DHE_DSS_WITH_AES_256_CBC_SHA, -TLS_DHE_DSS_WITH_DES_CBC_SHA, -TLS_DHE_DSS_WITH_RC4_128_SHA, -TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_DHE_RSA_WITH_AES_128_CBC_SHA, -TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, -TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -TLS_DHE_RSA_WITH_DES_CBC_SHA, -TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, -TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, -TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, -TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, -TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, -TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, -TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, -TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, -TLS_ECDH_ECDSA_WITH_NULL_SHA, -TLS_ECDH_ECDSA_WITH_RC4_128_SHA, -TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, -TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -TLS_ECDHE_ECDSA_WITH_NULL_SHA, -TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, -TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -TLS_ECDHE_RSA_WITH_NULL_SHA, -TLS_ECDHE_RSA_WITH_RC4_128_SHA, -TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, -TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, -TLS_ECDH_RSA_WITH_NULL_SHA, -TLS_ECDH_RSA_WITH_RC4_128_SHA, -TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, -TLS_DHE_DSS_WITH_DES_CBC_SHA, -TLS_DHE_DSS_WITH_RC4_128_SHA, -TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_DHE_RSA_WITH_DES_CBC_SHA, -TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDH_ECDSA_WITH_RC4_128_SHA, -TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, -TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDHE_RSA_WITH_RC4_128_SHA, -TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, -TLS_ECDH_RSA_WITH_RC4_128_SHA, -TLS_DH_DSS_WITH_AES_128_CBC_SHA, -TLS_DH_RSA_WITH_AES_128_CBC_SHA, -TLS_DH_DSS_WITH_AES_256_CBC_SHA, -TLS_DH_RSA_WITH_AES_256_CBC_SHA, -TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, -TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, -TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, -TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, -TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, -TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, -TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, -TLS_ECDHE_ECDSA_WITH_NULL_SHA, -TLS_ECDHE_RSA_WITH_NULL_SHA, -TLS_ECDH_RSA_WITH_NULL_SHA, -TLS_ECDH_ECDSA_WITH_NULL_SHA
Hi German, thx for the information. Disabling all the DH cipher works for the old Java 1.6 clients. But it is really a big impact to the security on the server :) At the moment we try to solve the problem on the client side. It seams that there is a backport of the "ephemeralDHKeySize" function for the Oracle, the IBM and the OpenJDK Java 6. Oracle Java "6u101 b14": http://www.oracle.com/technetwork/java/javase/overview-156328.html#6u101-b14 IBM Java "6 R1 SR8 FP15": http://www-01.ibm.com/support/docview.wss?uid=swg1IV78754 OpenJDK 6 (b36): http://mail.openjdk.java.net/pipermail/jdk6-dev/2015-July/003528.html Our first test with Java6 was with the IBM Java 6 SR7 and that coun't work. At the moment we are upgrading the test server for the next try. I will inform you about the result as soon as possible.
Our tests are done. With the versions described above the option "ephemeralDHKeySize" works also with Java 6 and the client can connect. We have now three ways to fix the problem: 1) Update Java :D 2) Disable the dh cipher (complete list ...) 3) Add a 1024 bit dh parameter to the server certificate We will use the first way to also improve the security. Thanks to all for the help.
> According to our tests the parameter "-Djdk.tls.ephemeralDHKeySize=2048" > didn't work with the old Java 1.6 clients. Only works with Java 1.7.0-85 and above I think.
added this article: https://access.redhat.com/solutions/2332231 Red Hat Directory Server and Java and C/C++ client applications TLS connections failed after RHEL 6.7 update with nss-3.21.0-0.3.el6_7.x86_64, DHE cipher params updates
Do we have Test packages for this Bugzilla?. If yes my customer would like to test this packages.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0667.html