This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 2278695 - Not able to remove cipher's from Directory Server
Summary: Not able to remove cipher's from Directory Server
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: 389-ds-base
Version: 11.8
Hardware: All
OS: Linux
high
high
Target Milestone: DS12.5
: dirsrv-12.5
Assignee: LDAP Maintainers
QA Contact: LDAP QA Team
Evgenia Martynyuk
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-05-02 19:22 UTC by Eugene Keck
Modified: 2024-06-26 13:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-06-26 13:51:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker   DIRSRV-77 0 None None Red Hat Issue Tracker 2024-06-26 13:51:27 UTC
Red Hat Issue Tracker IDMDS-4402 0 None None None 2024-05-22 16:00:03 UTC

Description Eugene Keck 2024-05-02 19:22:54 UTC 
Description of problem:
 Not able to remove cipher's

Version-Release number of selected component (if applicable):
 389-ds-base-1.4.3.37-2.module+el8.9.0+20974+3405b7e6.x86_64

How reproducible:
 Always

Steps to Reproduce:
 1. dsconf EXAMPLE-LOCAL security ciphers disable "TLS_RSA_WITH_AES_256_GCM_SHA384"
 2. dsctl EXAMPLE-LOCAL  restart

Actual results:
 WARN - Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,-TLS_RSA_WITH_AES_256_GCM_SHA384>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error)

Expected results:
 Disable cipher and not break SSL/TLS

Additional info:
 Did test all the following and each one gave the same error

 # dsconf EXAMPLE-LOCAL security ciphers disable "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
 # dsconf EXAMPLE-LOCAL security ciphers disable "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"
 # dsconf EXAMPLE-LOCAL security ciphers disable "TLS_RSA_WITH_AES_256_GCM_SHA384"

 Which dose match

 # dsconf EXAMPLE-LOCAL  security ciphers list --supported | grep TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

 # dsconf EXAMPLE-LOCAL  security ciphers list --supported | grep TLS_RSA_WITH_AES_256_GCM_SHA384
 TLS_RSA_WITH_AES_256_GCM_SHA384

 # dsconf EXAMPLE-LOCAL  security ciphers list --supported | grep TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

 Also tried

 nsSSL3Ciphers: +default,-TLS_RSA_WITH_AES_256_GCM_SHA384
 nsSSL3Ciphers: -TLS_RSA_WITH_AES_256_GCM_SHA384

 Which also failed the same as

 nsSSL3Ciphers: default,-TLS_RSA_WITH_AES_256_GCM_SHA384
Comment 2 Viktor Ashirov 2024-06-26 13:51:28 UTC 
This BZ has been automatically migrated to Red Hat Issue Tracker https://issues.redhat.com/browse/DIRSRV-77. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.
Note You need to log in before you can comment on or make changes to this bug.