TLS init: ca md too weak

2024-04-17 Thread Uwe Sauter
Hi all, one of my Rocky Linux 8 servers was updated automatically to 2.6.7 this night from the Symas repo. The install script seems to include an automated restart of the service but that failed with: main: TLS init def ctx failed: -1 error:0A00018E:SSL routines::ca md too weak As this is an

Re: TLS init: ca md too weak

2024-04-17 Thread Jeffrey Walton
On Wed, Apr 17, 2024 at 3:21 AM Uwe Sauter wrote: > Hi all, > > one of my Rocky Linux 8 servers was updated automatically to 2.6.7 this > night from the Symas repo. > The install script seems to include an automated restart of the service > but that failed with: > > main: TLS init def ctx

Re: timeout and network-timeout values of zero for syncrepl in LAN replication

2024-04-17 Thread Howard Chu
Christopher Paul wrote: > Concerning the "timeout" parameter, the ideal range might be between 60 to > 120 seconds, to handle operations exceeding a minute, but again, kicking in > retry > logic if they exceed two minutes. I admit that my stance on the "timeout" > setting is tentative, given

ldclt ldap performance testing

2024-04-17 Thread Marc
I am doing some basic testing with ldap with this command. ldclt \ -a 400 \ -H ldap://x.x.x.x: \ -e bindeach,bindonly,close \ -D "uid=test,dc=me,dc=local" \ -w yy \ -n 1 I was testing this on two container test environments. Both are running with ~500MB, 1 core.

Re: [EXTERNAL] TLS init: ca md too weak

2024-04-17 Thread Bradley T Gill
You should be able to regenerate the certificates with a secure signing algorithm. This thread has some other alternatives, like recompilining. OpenSSL with an insecure flag. [apple-touch-i...@2.png]

Re: TLS init: ca md too weak

2024-04-17 Thread Uwe Sauter
Bradley, Jeffrey, thanks to your sugegstions. I was able to restore the service by slapmodify'ing the this ldif: dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: TLSv1.3:TLSv1.2:@SECLEVEL=0 Unfortunately SECLEVEL=1 was still too high but as I wrote before it

Re: timeout and network-timeout values of zero for syncrepl in LAN replication

2024-04-17 Thread Christopher Paul
On 4/17/2024 11:24 PM, Howard Chu wrote: timeout has nothing to do with the duration of an operation. I'm confused then. Manual page ldap.conf(5) states:    TIMEOUT   Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is

Re: timeout and network-timeout values of zero for syncrepl in LAN replication

2024-04-17 Thread Howard Chu
Christopher Paul wrote: > On 4/17/2024 11:24 PM, Howard Chu wrote: >> timeout has nothing to do with the duration of an operation. > > I'm confused then. Manual page ldap.conf(5) states: > >    TIMEOUT >   Specifies a timeout (in seconds) after which calls to > synchronous LDAP

Re: timeout and network-timeout values of zero for syncrepl in LAN replication

2024-04-17 Thread Christopher Paul
On 4/18/2024 11:30 AM, Howard Chu wrote: An LDAP operation may have more than one response. Search operations often do, extended ops may as well. The timeout is waiting for any response, not just the operation result. Ah, that makes sense now. Thanks, Howard! -- Chris Paul | Rex Consulting