Your message dated Sat, 21 Mar 2020 10:38:27 -0700
with message-id <[email protected]>
and subject line Re: Bug#541256: TLS: could not set cipher list
TLS_RSA_AES_256_CBC_SHA1
has caused the Debian Bug report #541256,
regarding incompatible changes to GnuTLS cipher suite parsing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
541256: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541256
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: slapd
Version: 2.4.23-7.2
Openldap refuses to use cipher TLS_RSA_3DES_EDE_CBC_SHA1 when the cipher is
available to the system.
Here is the output of gnutls-cli:
ldap3:/etc/ldap# gnutls-cli -l | grep TLS_RSA_3DES_EDE_CBC_SHA1
TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0
and gnutls-serv
ldap3:/etc/ldap# gnutls-serv -l | grep TLS_RSA_3DES_EDE_CBC_SHA1
TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0
and openldap refuses to start when this cipher is used (and only this one) :
ldap3:/etc/ldap# /usr/sbin/slapd -h ldap:/// ldaps:/// ldapi:/// -g openldap -u
openldap -d9
[…]
TLS: could not set cipher list TLS_RSA_3DES_EDE_CBC_SHA1.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
syncinfo_free: rid=124
slapd stopped.
connections_destroy: nothing to destroy.
Here is the TLS relevant part of slapd.conf:
TLSCertificateFile /etc/ldap/ldap3.math.ups-tlse.fr.pem
TLSCertificateKeyFile /etc/ldap/ldap3.math.ups-tlse.fr.key
TLSCACertificateFile /etc/ldap/CNRS2-Standard.crt.full.tls
TLSCipherSuite TLS_RSA_3DES_EDE_CBC_SHA1
Here are the version of libldap, libgnutls26:
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime
library
ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries
Best Regards,
_______________________________________
Christophe Ségui
Responsable de Service
Service Informatique
Institut de Mathématiques de Toulouse - UMR 5219
Université de Toulouse, CNRS
UNIVERSITE PAUL SABATIER
BAT 1R3 bur 221
118 Route de Narbonne
31062 Toulouse Cedex 9
tel : 05.61.55.63.78 fax :05.61.55.75.99
_______________________________________
Economisez de l'énergie, du papier et de l'encre, n'imprimez ce message que si
nécessaire. Pour en savoir plus consultez www.ecoinfo.cnrs.fr
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---
I'm closing this bug now as it is far too late to do anything about
upgrades from lenny. The related upstream issues have been closed.
If anyone needs help writing a correct GnuTLS priority string for use
with the TLSCipherSuite setting, I encourage them to ask in IRC or on
the mailing list.
--- End Message ---
