Hi, We have an application which uses pam_ldap.so module to connect to LDAP server. Our application( i.e. client ) uses openldap(2.4.36) which is built against mozilla NSS library(3.15.3) and as per NSS mozilla official website, it supports TLSv1.2 protocol/ciphers. Our application run on RHEL 6 and we have configured pam_ldap.conf with following parameters:
======= host XXXXXXX base dc=XXXX, dc=YYYY ssl on tls_ciphers TLSv1.2+HIGH:!AESGCM:!aNULL:!eNULL ======= SERVER CONFIGURATION: LDAP server uses openldap(2.4.36) built against openssl 1.0.1e and has following parameter in slapd.conf file and openssl 1.0.1e do support TLSv1.2 protocol/ciphers. ======= TLSCipherSuite TLSv1.2 TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/servercrt.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem TLSVerifyClient never ======= The problem is that our Application(client) is unable to connect to LDAP server if we specify "tls_ciphers TLSv1.2+HIGH:!AESGCM:!aNULL:!eNULL" or "tls_ciphers TLSv1.2" or "tls_ciphers TLSv1.2+HIGH"as cipher suite. AS per server logs we get following error: TLS: can't accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher. 529490c6 conn=1004 fd=15 closed (TLS negotiation failure) 529490c6 conn=1005 fd=15 ACCEPT from IP=9.74.13.113:37377 (IP=9.30.12.41:636) TLS: can't accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher. 529490c6 conn=1005 fd=15 closed (TLS negotiation failure) >From error message it seems that Server and Client has no shared TLS 1.2 >ciphers which is hard to digest as both openssl and Mozilla NSS libraries >supports TLS 1.2 protocol/ciphers. If we specify ciphers 'SSLv3'(Both in >Server and client) then it works fine. Also, If we build our client >openldap(i.e. our application) against openssl libraries then things work fine. It will be really helpful if someone could let me know the root cause of the issue. Is it possible that Mozilla NSS and Openssl don't have any common TLS 1.2 ciphers or it is a bug in openldap/Mozilla NSS? Is there any way to find out TLS 1.2 ciphers supported by Mozilla NSS? Also, Is there any way to determine ciphers chosen by openldap server. I used different openldap server debugging level(i.e. -d option) but find none. Any help would be really appreciated. With Regards, Sam DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
