The default enabled ciphers configured by enabling SSL in the RHDS Admin Console contain unsupported ciphers

Solution Unverified - Updated -

Issue

  • When I use the redhat-idm-console to enable SSL support for a directory server, the ciphers as displayed in the attachment picture are used by default.

  • When I look at the LDIF in question which is being used, this is what happens:

    replace: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+r
 sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha
 ,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_
 56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_aes
 _256_sha

  • When I restart the Directory Server using these settings, I get the following string of error messages in the error log:

    [07/Oct/2015:16:57:21 +0200] - SSL alert: Cipher suite fortezza is not available in NSS 3.19.  Ignoring fortezza
[07/Oct/2015:16:57:21 +0200] - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.19.  Ignoring fortezza_rc4_128_sha
[07/Oct/2015:16:57:21 +0200] - SSL alert: Cipher suite fortezza_null is not available in NSS 3.19.  Ignoring fortezza_null

Environment

  • Red Hat Directory Server (RHDS) 10.0
  • 389-ds-base-1.3.3.1-20.el7_1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.