-
Bug
-
Resolution: Unresolved
-
Critical
-
dirsrv-11.8
Description of problem:
Not able to remove cipher's
Version-Release number of selected component (if applicable):
389-ds-base-1.4.3.37-2.module+el8.9.0+20974+3405b7e6.x86_64
How reproducible:
Always
Steps to Reproduce:
1. dsconf EXAMPLE-LOCAL security ciphers disable "TLS_RSA_WITH_AES_256_GCM_SHA384"
2. dsctl EXAMPLE-LOCAL restart
Actual results:
WARN - Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,-TLS_RSA_WITH_AES_256_GCM_SHA384>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error)
Expected results:
Disable cipher and not break SSL/TLS
Additional info:
Did test all the following and each one gave the same error
- dsconf EXAMPLE-LOCAL security ciphers disable "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
- dsconf EXAMPLE-LOCAL security ciphers disable "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"
- dsconf EXAMPLE-LOCAL security ciphers disable "TLS_RSA_WITH_AES_256_GCM_SHA384"
Which dose match
- dsconf EXAMPLE-LOCAL security ciphers list --supported | grep TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- dsconf EXAMPLE-LOCAL security ciphers list --supported | grep TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
- dsconf EXAMPLE-LOCAL security ciphers list --supported | grep TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Also tried
nsSSL3Ciphers: +default,-TLS_RSA_WITH_AES_256_GCM_SHA384
nsSSL3Ciphers: -TLS_RSA_WITH_AES_256_GCM_SHA384
Which also failed the same as
nsSSL3Ciphers: default,-TLS_RSA_WITH_AES_256_GCM_SHA384
