Closed Bug 1366685 Opened 8 years ago Closed 8 years ago

NSS is failed to communicate with Oracle Directory Server on cipher TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Version:
3.30.2
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: kmpmuni, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Build ID: 20170504105526 Steps to reproduce: ODSEE is installed on the servers side and NSS libraries are using by the client. The NSS Libraries are unable to communicate with the Oracle Directory server when the cipher TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 is enabled in ODSEE. Setup details Client is on solaris sparc and NSS libs are compile with NSS_DISABLE_ECC=0 (default) Server : Oracle Directory server Enterprise Edition(ODSEE) version 11.1.1.7.3 with jre version 1.7_10 NSS able to establish TLS1.2 with ODSEE using RC4 ciphers when server side is enabled with below ciphers are enabledSSLCipherSuites: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 enabledSSLCipherSuites: SSL_DH_anon_WITH_RC4_128_MD5 enabledSSLCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 enabledSSLCipherSuites: SSL_RSA_WITH_RC4_128_MD5 enabledSSLCipherSuites: SSL_RSA_WITH_RC4_128_SHA enabledSSLCipherSuites: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA enabledSSLCipherSuites: TLS_ECDHE_RSA_WITH_RC4_128_SHA enabledSSLCipherSuites: TLS_ECDH_ECDSA_WITH_RC4_128_SHA enabledSSLCipherSuites: TLS_ECDH_RSA_WITH_RC4_128_SHA enabledSSLCipherSuites: TLS_ECDH_anon_WITH_RC4_128_SHA enabledSSLCipherSuites: TLS_KRB5_EXPORT_WITH_RC4_40_MD5 enabledSSLCipherSuites: TLS_KRB5_EXPORT_WITH_RC4_40_SHA enabledSSLCipherSuites: TLS_KRB5_WITH_RC4_128_MD5 enabledSSLCipherSuites: TLS_KRB5_WITH_RC4_128_SHA When the cipher is added with TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 then NSS is failed to communicate with ODSEE. Network packets are captured in wireshark and it was showing the 4 0.012388 Client_ip ODSEE_ip TLSv1.2 201 Client Hello 11 0.018019 ODSEE_ip Client_ip TLSv1.2 640 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done 13 0.030645 Client_ip ODSEE_ip TLSv1.2 61 Alert (Level: Fatal, Description: Illegal Parameter) In packet 13 it shows as Secure Sockets Layer TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Illegal Parameter) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 2 Alert Message In server side the ODSEE log shows below exception [08/Mar/2017:16:49:25 +0000] - DISCONNECT - INFO - conn=1112342 reason="other" msg="Exception caught while polling client connection LDAPS.client_ip.port -- javax.net.ssl.SSLException: Received fatal alert: illegal_parameter"
Summary: NSS is failed to communicate with Oracle sun one directory server on cipher TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 → NSS is failed to communicate with Oracle directory server on cipher TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Summary: NSS is failed to communicate with Oracle directory server on cipher TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 → NSS is failed to communicate with Oracle Directory Server on cipher TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Is this still happening with the latest NSS version?
Flags: needinfo?(kmpmuni)
Priority: -- → P3
This is not a bug from NSS libs. This issue is resolved by following change in ODSEE Need to change the config in ODSEE Add a New cipher suite as below. enabled-ssl-cipher-suites:JRE
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(kmpmuni)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.