Package: slapd Severity: normal Tags: patch Hi,
I wrote a small patch for the slapd.conf(5) man page. Please find it attached. In addition to that I can confirm that the bug does not occur in OpenDLAP 2.4.21 (tested with TLSCipherSuite NORMAL:!AES-128-CBC in slapd.conf). I did not test with earlier versions, but according to the code in tls_g.c the calls to gnutls_priority_init() were already in when 2.4.17 was released. So, I am quite confident the problem was already solved with OpenLDAP 2.4.17. Best regards Peter -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages slapd depends on: ii adduser 3.112 add and remove users and groups ii coreutils 7.4-2 The GNU core utilities ii debconf [debconf-2.0] 1.5.30 Debian configuration management sy ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libdb4.7 4.7.25-9 Berkeley v4.7 Database Libraries [ ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr ii libldap-2.4-2 2.4.21-0pm1 OpenLDAP libraries ii libltdl7 2.2.6b-2 A system independent dlopen wrappe ii libperl5.10 5.10.1-11 shared Perl library ii libsasl2-2 2.1.23.dfsg1-5 Cyrus SASL - authentication abstra ii libslp1 1.2.1-7.6 OpenSLP libraries ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip ii perl [libmime-base64-perl 5.10.1-11 Larry Wall's Practical Extraction ii psmisc 22.10-1 utilities that use the proc file s ii unixodbc 2.2.11-21 ODBC tools libraries Versions of packages slapd recommends: ii libsasl2-modules 2.1.23.dfsg1-5 Cyrus SASL - pluggable authenticat Versions of packages slapd suggests: ii ldap-utils 2.4.21-0pm1 OpenLDAP utilities -- debconf information excluded
--- openldap-2.1.21/doc/man/man5/slapd.conf.5 +++ openldap-2.1.21/doc/man/man5/slapd.conf.5 2010-04-14 19:19:21.000000000 +0200 @@ -1029,22 +1029,37 @@ .TP .B TLSCipherSuite <cipher-suite-spec> Permits configuring what ciphers will be accepted and the preference order. -<cipher-suite-spec> should be a cipher specification for OpenSSL. Example: - +<cipher-suite-spec> should be a cipher specification for OpenSSL resp. GNUtls. +Example: +.RS +.RS +.TP +.I OpenSSL: TLSCipherSuite HIGH:MEDIUM:+SSLv2 +.TP +.I GNUtls: +TLSCiphersuite SECURE256:!AES-128-CBC +.RE -To check what ciphers a given spec selects, use: +To check what ciphers a given spec selects in OpenSSL, use: .nf openssl ciphers \-v <cipher-suite-spec> .fi -To obtain the list of ciphers in GNUtls use: +With GNUtls the available specs can be found in the manual page of +.BR gnutls\-cli (1) +(see the description of the +option +.BR \-\-priority ). + +In older versions of GNUtls, where gnutls\-cli does not support the option +\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling: .nf - gnutls-cli \-l + gnutls\-cli \-l .fi - +.RE .TP .B TLSCACertificateFile <filename> Specifies the file that contains certificates for all of the Certificate @@ -1904,6 +1919,7 @@ default slapd configuration file .SH SEE ALSO .BR ldap (3), +.BR gnutls\-cli (1), .BR slapd\-config (5), .BR slapd.access (5), .BR slapd.backends (5),