Bug 1353714 - If a cipher is disabled, do not attempt to look it up
Summary: If a cipher is disabled, do not attempt to look it up
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-07 19:30 UTC by Noriko Hosoi
Modified: 2016-11-03 20:43 UTC (History)
3 users (show)

Fixed In Version: 389-ds-base-1.3.5.10-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-03 20:43:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2594 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2016-11-03 12:11:08 UTC

Description Noriko Hosoi 2016-07-07 19:30:53 UTC
Description of problem:

Description:  Even if a SSL cipher is disabled the server still attempts
              to locate the cipher in the security library.  If the disabled
              cipher is unknown it logs a warning ast server startup, but
              if it's disabled there is no reason to check if it exists.

https://fedorahosted.org/389/ticket/48743

Comment 1 mreynolds 2016-07-07 19:55:16 UTC
Fixed upstream

Comment 3 Simon Pichugin 2016-07-29 14:03:24 UTC
Build tested:
389-ds-base-1.3.5.10-5.el7.x86_64

Verification steps:
1. Setup RHDS

2. Enable SSL/TLS as per the Admin Guide sec. 7.4 using the Admin Console

3. Use the default ciphers as part of the SSL/TLS enablement (fortezza family is enabled)

4. Check errors log for SSL alert about fortezza:
[root@rhel-dev slapd-rhel-dev]# grep fortezza /var/log/dirsrv/slapd-rhel-dev/errors
[29/Jul/2016:15:57:44.470979041 +0200] SSL alert: Cipher suite fortezza_null is not available in NSS 3.21.  Ignoring fortezza_null
[29/Jul/2016:15:57:44.504161610 +0200] SSL alert: Cipher suite fortezza is not available in NSS 3.21.  Ignoring fortezza
[29/Jul/2016:15:57:44.509658458 +0200] SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.21.  Ignoring fortezza_rc4_128_sha

5. Disable fortezza family using the Admin Console

6. Check errors log for SSL alert about fortezza:
[root@rhel-dev slapd-rhel-dev]# grep fortezza /var/log/dirsrv/slapd-rhel-dev/errors
[root@rhel-dev slapd-rhel-dev]# echo $?
1

Result: server doesn't check for disabled ciphers.
Marking as verified.

Comment 5 errata-xmlrpc 2016-11-03 20:43:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html


Note You need to log in before you can comment on or make changes to this bug.