OpenLDAP does not properly negotiate ciphers with clients
Issue
OpenLDAP is not following RFC 5246 when negotiating ciphers for communication.
When the following is set for OpenLDAP:
security ssf=256 tls=256 update_ssf=256 simple_bind=256 update_tls=256
TLSCipherSuite HIGH:-SSLv2
And the following command is run:
openssl s_client -connect localhost:636 -key /etc/pki/private/host.name.pem -cert /etc/pki/public/host.name.pub -cipher DHE-RSA-AES256-SHA:ADH-AES256-SHA:ECDHE-RSA-AES128-SHA
Then, the following is output in the system log:
Oct 23 19:05:36 host.name slapd[32576]: conn=1000 fd=13 TLS established tls_ssf=128 ssf=128
Oct 23 19:05:42 host.name slapd[32576]: conn=1001 fd=13 TLS established tls_ssf=128 ssf=128
This should have been a 256 bit cihper. And, since the SSF is set to 256, all communication fails.
Environment
- Red Hat Enterprise Linux 6
- nss version 3.16.1-4
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.