On Fri, Nov 29, 2013 at 04:07:35AM -0800, sameer...@gmail.com wrote: > Hi, > > I found some new behavior with openldap server built against Mozilla > NSS(3.15.3) and our requirement is to use only TLSv1.2 ciphers only.
I have no idea what you really mean with this. Please note that ciphers can typically be used with more than 1 version of TLS. There ussually is a minimum version and maximum version of SSL/TLS a cipher can be used with. I'm going to guess that you're talking about ciphers that minimum require TLS 1.2. Those would be all ciphers that can use SHA-2, and GCM but you don't seem to like that. I would like to point out again that GCM is really what you want and I suggest you try to convince your user that that is what he wants. As far as I know, NSS does not have any ciphers with SHA-2 other than GCM, and so I think what you want is not currently possible with NSS. > If I have following LDAP (Server+Client)configuration: > > Scenario 1: > > Openldap Server built against NSS(slap.conf) Openldap client > built against NSS(pam_ldap.conf) > TLSCipherSuite TLSv1.2 tls_ciphers > TLSv1.2 > > Communication fails with LDAP server throwing following error: > --TLS: could not set cipher list TLSv1.2. > > Any idea why LDAP server is throwing above error. Is that the case that > cipher string "TLSv1.2" is not recognized by Mozilla NSS. Maybe openldap doesn't know how to translate TLSv1.2 for NSS yet? Please note that you give it an openssl string and that openldap translates this to something for NSS. > Scenario 2: > Openldap Server built againit NSS(slap.conf) Openldap client > built against NSS(pam_ldap.conf) > TLSCipherSuite TLSv1.2+HIGH tls_ciphers > SSLv3 > > Scenario 3: > Openldap Server built againit NSS(slap.conf) Openldap client > built against NSS(pam_ldap.conf) > TLSCipherSuite SSlv3 tls_ciphers > TLSv1.2+HIGH > > In Scenario 2 and 3, communication is successfully established. Any idea > which protocol ciphers is used for establishing the communication. AFAIK > SSLv3 and TLSv1.2 ciphers are different and incompatible. I suggest you monitor the network communication with something like wireshark and then look at the Server Hello. It should say which cipher the server selected. It will also tell which TLS version is used, but please note that if it says 1.2 that that doesn't mean it's a 1.2 cipher. Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
