jvcelak@redhat.com wrote:

The patch is fine. I was just about to send exactly the same. We have a report in our bugzilla for this.

Thanks for the confirmation, fixed now in master.

On Monday 04 of June 2012 21:56:08, tim.strobell.ctr@nrl.navy.mil wrote:

...

Full_Name: Tim Strobell Version: HEAD OS: RHEL6 URL: ftp://ftp.openldap.org/incoming/tim-strobell-2012060401.patch Submission from: (NULL) (2001:480:20:112:210:18ff:fe19:b000)

When using NSS, the default cipher suite selection is used even when TLSCipherSuite is explicitly specified. This behavior was introduced in the patch provided in ITS#6790.

At tls_m.c:2221...

     if ( lt->lt_ciphersuite &&
          tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
                [ error, return ]
     } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
                [ error, return ]
     }

tlsm_parse_ciphers returns 0 on success; the else path is always followed and overrides the previous cipher suite selection.