Re: TLS 1.2 Issue with openldap 2.4.36 built on NSS 3.15.3

Tue, 26 Nov 2013 10:40:53 -0800 

On Tue, Nov 26, 2013 at 01:14:50PM +0000, Sameer Stephen wrote:
> Hi,
> 
> We have an application which uses pam_ldap.so module to connect to LDAP 
> server. Our application( i.e. client ) uses openldap(2.4.36) which  is built 
> against mozilla NSS library(3.15.3) and as per NSS mozilla official website, 
> it supports TLSv1.2 protocol/ciphers. Our application run on RHEL 6 and we 
> have configured pam_ldap.conf with following parameters:
> 
> =======
> host XXXXXXX
> base dc=XXXX, dc=YYYY
> ssl on
> tls_ciphers TLSv1.2+HIGH:!AESGCM:!aNULL:!eNULL
> =======

That looks like an openssl string to me.  That would give you the
following ciphers if you use openssl 1.0.1:
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256

Is there a reason why you disable GCM?  I can see no good
reason to disable it.  It really is what you want in the first
place.

As far as I know NSS doesn't support any of those.  As far as I
know the only cipher that requires TLS 1.2 and is supported by NSS
is currently the GCM one.  But I'm not sure which version of NSS
has support for GCM.



Kurt

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to