[Bug 1537762] Re: syncrepl does not work when using tls
Perhaps the issue is that your certificates have too short RSA keys. In GnuTLS SECURE256 requires at least 3072-bit public key. Unfortunately, this is not clearly documented. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1537762] Re: syncrepl does not work when using tls
Thanks for the pointers (I have no idea why I failed to find the gnutls26 bug yesterday when I looked) bug 1533230 comment #12 (https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1534230/comments/12) seems to be the same problem as I'm having. Using the command: gnutls-cli -p 636 ldaphost.domain.com --priority 'SECURE256:+SIGN-RSA- SHA224:+SIGN-DSA-SHA224' works but gnutls-cli -p 636 ldaphost.domain.com --priority 'SECURE256' does not work and gives an error of *** Fatal error: The signature algorithm is not supported. *** Handshake has failed GnuTLS error: The signature algorithm is not supported. Our slapd.conf file contained a TLSCipherSuite SECURE256:-VERS-SSL3.0 which I think explains where syncrepl fails but ldapsearch still works as it will use a SECURE128 cipher I don't understand why I now need to add specific signature algorithms to list now though? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1537762] Re: syncrepl does not work when using tls
Please also have a look at https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1534230 (thanks to sarnold for the pointer) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1537762] Re: syncrepl does not work when using tls
Hi Ian, I found https://stathers.net/2016/01/14/thawte-premium-ssl- md5-gnutls.html but it would be surprising if that broke syncrepl but not ldapsearch. Still, worth checking if you haven't already. (ldapsearch and syncrepl are using the same CA certificate, right?) Is there any interesting output if you run the consumer slapd at a higher debug level? Separate from slapd, are gnutls-serv/gnutls-cli able to communicate using the same certificates? ** Changed in: openldap (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs