On Tue, Nov 26, 2013 at 01:14:50PM +0000, Sameer Stephen wrote: > Hi, > > We have an application which uses pam_ldap.so module to connect to LDAP > server. Our application( i.e. client ) uses openldap(2.4.36) which is built > against mozilla NSS library(3.15.3) and as per NSS mozilla official website, > it supports TLSv1.2 protocol/ciphers. Our application run on RHEL 6 and we > have configured pam_ldap.conf with following parameters: > > ======= > host XXXXXXX > base dc=XXXX, dc=YYYY > ssl on > tls_ciphers TLSv1.2+HIGH:!AESGCM:!aNULL:!eNULL > =======
That looks like an openssl string to me. That would give you the following ciphers if you use openssl 1.0.1: ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256 ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256 ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 Is there a reason why you disable GCM? I can see no good reason to disable it. It really is what you want in the first place. As far as I know NSS doesn't support any of those. As far as I know the only cipher that requires TLS 1.2 and is supported by NSS is currently the GCM one. But I'm not sure which version of NSS has support for GCM. Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto