Your message dated Sat, 21 Mar 2020 10:38:27 -0700
with message-id <[email protected]>
and subject line Re: Bug#541256: TLS: could not set cipher list
TLS_RSA_AES_256_CBC_SHA1
has caused the Debian Bug report #541256,
regarding incompatible changes to GnuTLS cipher suite parsing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
541256: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541256
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: slapd
Version: 2.4.17-1
Severity: important
OpenLDAP+gnutls worked fine for me for more than a year, but now I have
TLS problems again. It started on my unstable client when libnss-ldap
reported:
TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1
Then I upgraded gnutls and ldap on my server from lenny to unstable and
now even slapd doesn't start:
TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1.
main: TLS init def ctx failed: -1
If I comment out line which defines cipher:
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1
it works again.
$ gnutls-cli -l|grep TLS_RSA_AES_256_CBC_SHA1
TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0
...so I don't see why it shouldn't work.
Thanks, bye!
-- System Information:
Debian Release: 5.0.2
APT prefers stable
APT policy: (990, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=hr_HR.UTF-8, LC_CTYPE=hr_HR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages slapd depends on:
ii adduser 3.110 add and remove users and groups
ii coreutils 6.10-6 The GNU core utilities
ii debconf [debconf-2.0] 1.5.24 Debian configuration
management sy
ii libc6 2.9-23 GNU C Library: Shared libraries
ii libdb4.7 4.7.25-7 Berkeley v4.7 Database
Libraries [
ii libgnutls26 2.6.6-1 the GNU TLS library -
runtime libr
ii libldap-2.4-2 2.4.17-1 OpenLDAP libraries
ii libltdl7 2.2.6a-4 A system independent dlopen
wrappe
ii libperl5.10 5.10.0-19 Shared Perl library
ii libsasl2-2 2.1.23.dfsg1-1 Cyrus SASL - authentication
abstra
ii libslp1 1.2.1-7.5 OpenSLP libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP
wrappers libra
ii perl [libmime-base64-perl 5.10.0-19 Larry Wall's Practical
Extraction
ii psmisc 22.6-1 Utilities that use the proc
filesy
ii unixodbc 2.2.11-16 ODBC tools libraries
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.23.dfsg1-1 Cyrus SASL - pluggable
authenticat
Versions of packages slapd suggests:
ii ldap-utils 2.4.17-1 OpenLDAP utilities
-- debconf information:
* slapd/tlsciphersuite:
slapd/fix_directory: true
shared/organization: nodomain
slapd/upgrade_slapcat_failure:
slapd/backend: BDB
slapd/allow_ldap_v2: false
slapd/no_configuration: false
slapd/move_old_database: true
slapd/suffix_change: false
slapd/slave_databases_require_updateref:
slapd/dump_database_destdir: /var/backups/slapd-VERSION
slapd/autoconf_modules: true
slapd/domain: nodomain
slapd/password_mismatch:
slapd/invalid_config: true
slapd/slurpd_obsolete:
slapd/upgrade_slapadd_failure:
slapd/dump_database: when needed
slapd/migrate_ldbm_to_bdb: false
slapd/purge_database: false
--- End Message ---
--- Begin Message ---
I'm closing this bug now as it is far too late to do anything about
upgrades from lenny. The related upstream issues have been closed.
If anyone needs help writing a correct GnuTLS priority string for use
with the TLSCipherSuite setting, I encourage them to ask in IRC or on
the mailing list.
--- End Message ---
