OpenLDAP does not properly negotiate ciphers with clients

Solution Unverified - Updated -

Issue

OpenLDAP is not following RFC 5246 when negotiating ciphers for communication.

When the following is set for OpenLDAP:

security ssf=256 tls=256 update_ssf=256 simple_bind=256 update_tls=256
TLSCipherSuite HIGH:-SSLv2

And the following command is run:

openssl s_client -connect localhost:636 -key /etc/pki/private/host.name.pem -cert /etc/pki/public/host.name.pub -cipher DHE-RSA-AES256-SHA:ADH-AES256-SHA:ECDHE-RSA-AES128-SHA

Then, the following is output in the system log:

Oct 23 19:05:36 host.name slapd[32576]: conn=1000 fd=13 TLS established tls_ssf=128 ssf=128
Oct 23 19:05:42 host.name slapd[32576]: conn=1001 fd=13 TLS established tls_ssf=128 ssf=128

This should have been a 256 bit cihper. And, since the SSF is set to 256, all communication fails.

Environment

  • Red Hat Enterprise Linux 6
  • nss version 3.16.1-4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content