OpenLDAP does not properly negotiate ciphers with clients

Issue

OpenLDAP is not following RFC 5246 when negotiating ciphers for communication.

When the following is set for OpenLDAP:

security ssf=256 tls=256 update_ssf=256 simple_bind=256 update_tls=256
TLSCipherSuite HIGH:-SSLv2

And the following command is run:

openssl s_client -connect localhost:636 -key /etc/pki/private/host.name.pem -cert /etc/pki/public/host.name.pub -cipher DHE-RSA-AES256-SHA:ADH-AES256-SHA:ECDHE-RSA-AES128-SHA

Then, the following is output in the system log:

Oct 23 19:05:36 host.name slapd[32576]: conn=1000 fd=13 TLS established tls_ssf=128 ssf=128
Oct 23 19:05:42 host.name slapd[32576]: conn=1001 fd=13 TLS established tls_ssf=128 ssf=128

This should have been a 256 bit cihper. And, since the SSF is set to 256, all communication fails.

Environment

Red Hat Enterprise Linux 6
nss version 3.16.1-4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

New to Red Hat?

Learn more about Red Hat subscriptions

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories