[Pkg-openldap-devel] Bug#473796: Bug#473796: TLS fails completely

[Quanah Gibson-Mount]

--On Thursday, April 03, 2008 3:41 PM +0200 debian at x.ray.net wrote:

> ok, more testing, more news:
>
>>> now with the slapd 2.4.7 package (with gnutls) this seems to force
>>> client-certs, too. a TLS query without client-cert won't work - but
>>> commenting the 'security' line out results in working TLS and working
>>> non-TLS queries.
>>
>> The default behavior when TLS is enabled is "TLSVerifyClient never";
>> 2.4.7 did have a bug related to this, but this was resolved in the
>> 2.4.7-5 package.
>
> well it seems to me like with gnutls the 'security tls=' value controls
> the tls reqirements, TLSVerifyClient is (more or less?) ignored. but i
> could be missing something ofc...
>
> all queries done with a server cert and without a client cert:
>
>
> security tls=128
> TLSVerifyClient never
>
> ldapsearch		fails (TLS confidentiality required)
> ldapsearch -ZZ		fails (stronger TLS confidentiality required)

This will always fail as long as the keystrength of the cert in question is 
so low.  It states quite clearly in your log:

conn=0 fd=12 TLS established tls_ssf=32 ssf=32

I.e., the TLS SSF is 32.  So no value > 32 will ever work.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration