[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-opendj
Subject: Re: [Opendj] native LDAP ... .RedHat 6.2/6.3 client ... OpenDJ server
From: Bernhard Thalmayr <bernhard.thalmayr () painstakingminds ! com>
Date: 2014-04-17 8:01:15
Message-ID: 534F8A4B.7080804 () painstakingminds ! com
[Download RAW message or body]
Am 4/16/14 8:06 AM, schrieb Jim Klimov:
> 14 апреля 2014 г. 21:57:45 CEST, Bernhard Thalmayr \
> <bernhard.thalmayr@painstakingminds.com> пишет:
> > Hi experts, sorry for posting this, kind of offtopic, question.
> >
> > I was wondering if someone was successful to use OpenDJ as server for
> > 'native LDAP' RedHat 6.2/6.3 clients.
> >
> > It seems that for some strange reasons RedHat initialises Mozilla NSS
> > on
> > the client with a very restrictive set of cipher suites so that there
> > is
> > no overlap with the default cipher suites provided by JSSE from Java 7
> > (not even when using unrestricted policy files).
> >
> > I've tried to use TLS_CIPHER_SUITE property in /etc/openldap/ldap.conf,
> >
> > but it seems the setting is not applied (offered cipher suites in SSL
> > Client Hello does not change according to network trace).
> >
> > RedHat has changed behavior starting from 6.4, but I can not upgrade
> > the
> > client ATM.
> >
> > Any pointers available?
> >
> > TIA,
> > Bernhard
> >
> > P.S. SELinux is turned off. Unfortuantely ltrace 0.5 (provided with
> > RHEL) does not yet offer tracing of inter-library calls, so I can not
> > find out which NSS API call is done. CentOS 6.3 is not behaving not the
> >
> > same.
>
> This is reminiscent of a behavoiur we had when some tls or https services stopped \
> working on our appservers, and it was traced iirc to tlsv1 disabled by default on \
> java past 1.6.30 (approx), often leaving no compatible cipher suites between \
> servers and clients. Maybe your older rhel fits into such category?
> See if just starting opendj with an earlier 1.6 java fixes your situation, and if \
> this is a hit - research on 'proper' setup (tons of blogs about 2 years ago) to \
> explicitly enable ciphers and use a newer jvm if possible... or document why you \
> stick to the old one so it is not upgraded by mistake while the old clients exist \
> ;) Hth,
Well it's the way RH inits NSS lib. Updating NSS/NSPR, openldap,
openldap-client, nss_pam_ldap libs on RH seems to be the only
workaround/solution
Thanks anyway.
Regards,
Bernhard
> //Jim
> --
> Typos courtesy of K-9 Mail on my Samsung Android
>
>
--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699
bernhard.thalmayr@painstakingminds.com - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr
This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
OpenDJ mailing list
OpenDJ@forgerock.org
https://lists.forgerock.org/mailman/listinfo/opendj
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic