Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1341981 - Can't connect to OpenLDAP server on RHEL6 any longer
Summary: Can't connect to OpenLDAP server on RHEL6 any longer
Keywords:
Status: CLOSED DUPLICATE of bug 1342158
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Elio Maldonado Batiz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-02 08:13 UTC by Terje Røsten
Modified: 2016-06-14 17:06 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-14 17:06:35 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Terje Røsten 2016-06-02 08:13:37 UTC 
Description of problem:

ldapsearch and sssd and other LDAP (linked with nss)
can't connect to OpenLDAP server running on RHEL6 any longer.

gnutls-cli-debug output:

                             for SSL 3.0 (RFC6101) support... yes
                        whether we need to disable TLS 1.2... no
                        whether we need to disable TLS 1.1... no
                        whether we need to disable TLS 1.0... no
                        whether %NO_EXTENSIONS is required... no
                               whether %COMPAT is required... no
                             for TLS 1.0 (RFC2246) support... yes
                             for TLS 1.1 (RFC4346) support... yes
                             for TLS 1.2 (RFC5246) support... yes
                                  fallback from TLS 1.6 to... TLS1.2
              for inappropriate fallback (RFC7507) support... yes
                               for certificate chain order... sorted
                  for safe renegotiation (RFC5746) support... yes
                     for Safe renegotiation support (SCSV)... yes
                    for encrypt-then-MAC (RFC7366) support... no
                   for ext master secret (RFC7627) support... no
                           for heartbeat (RFC6520) support... no
                       for version rollback bug in RSA PMS... dunno
                  for version rollback bug in Client Hello... no
            whether the server ignores the RSA PMS version... yes
whether small records (512 bytes) are tolerated on handshake... yes
    whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
         whether the server understands TLS closure alerts... partially
            whether the server supports session resumption... yes
                      for anonymous authentication support... no
                      for ephemeral Diffie-Hellman support... yes
                   for ephemeral EC Diffie-Hellman support... yes
                    ephemeral EC Diffie-Hellman group info... SECP256R1
                  for AES-128-GCM cipher (RFC5288) support... no
                  for AES-128-CCM cipher (RFC6655) support... no
                for AES-128-CCM-8 cipher (RFC6655) support... no
                  for AES-128-CBC cipher (RFC3268) support... yes
             for CAMELLIA-128-GCM cipher (RFC6367) support... no
             for CAMELLIA-128-CBC cipher (RFC5932) support... no
                     for 3DES-CBC cipher (RFC2246) support... yes
                  for ARCFOUR 128 cipher (RFC2246) support... yes
                                       for MD5 MAC support... yes
                                      for SHA1 MAC support... yes
                                    for SHA256 MAC support... yes
                              for ZLIB compression support... no
                     for max record size (RFC6066) support... no
                for OCSP status response (RFC6066) support... no
              for OpenPGP authentication (RFC6091) support... no


ldapsearch say:

$ ldapsearch -d256 -ZZ -x -h example.com
TLS: could not set SSLv2 mode on.
TLS: error: could not initialize moznss security context - error -8187:security library: invalid arguments.
TLS: can't create ssl handle.
ldap_start_tls: Connect error (-11)

OpenLDAP server is using:

olcSecurity: ssf=112
olcLocalSSF: 71

I guess recent (config?) changes in nss causes this?

Any ideas?
Comment 1 Kai Engert (:kaie) (inactive account) 2016-06-02 09:04:23 UTC 
Can you please provide the full set of package versions that work for you, and the set of versions that fail for you?
Comment 2 Terje Røsten 2016-06-02 10:49:43 UTC 
Now running nss-3.24.0-2.1.fc25.x86_64 which fails, 
going down to nss-3.23.0-4.fc25.x86_64 it works.
Comment 3 Terje Røsten 2016-06-02 10:59:40 UTC 
nss-3.23.0-5.fc25.x86_64 works
nss-3.23.0-6.fc25.x86_64 works
nss-3.23.0-7.fc25.x86_64 works
nss-3.23.0-8.fc25.x86_64 works
nss-3.23.0-9.fc25.x86_64 works
nss-3.24.0-2.0.fc25.x86_64 fails
Comment 4 Sammy 2016-06-02 13:07:22 UTC 
Same problem with httpd and nss-3.24.0 on Fedora 23. Renaming 
/etc/httpd/conf.d/nss.conf to /etc/httpd/conf.d/nss.conf-BAK
solves the problem but obvioulsy not the correct solution.
Comment 5 Terje Røsten 2016-06-06 07:35:07 UTC 
nss-3.24.0-2.3.fc25.x86_64 works, thanks!
Comment 6 Kai Engert (:kaie) (inactive account) 2016-06-14 17:06:35 UTC 
(In reply to Terje Røsten from comment #5)
> nss-3.24.0-2.3.fc25.x86_64 works, thanks!

Thanks for the feedback.

If that version works for you, then this bug seems to be a duplicate of bug 1342158.

*** This bug has been marked as a duplicate of bug 1342158 ***
Note You need to log in before you can comment on or make changes to this bug.