[Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Same problem
T.A. van Roermund
timo at van-roermund.nl
Tue Jan 29 19:27:03 UTC 2008
Steve Langasek wrote:
> Well, I can reproduce the problem when using this value for TLSCipherSuite.
> But why would you set this value, rather than leaving TLSCipherSuite blank
> to use the default? I don't see the point of listing *all* the cipher types
> if you don't intend to exclude some of them.
If I leave it blank, it still doesn't work. The behaviour is then
exactly equal to the current situation.
> Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2", not
> "$cipher1 $cipher2"; but setting such values gives me a hang on startup
> (which should be investigated).
I can confirm that, the reason why I left out the ":" is this hang. I
thought that maybe gnutls parses the string differently and needs spaces
in between, that's why I replaced those characters with spaces. Anyway,
do you file a bug report for this hang?
> I see that if I leave the cipher list blank, gnutls-cli negotiates
> TLS_RSA_AES_256_CBC_SHA; so if I set TLSCipherSuite TLS_RSA_AES_256_CBC_SHA,
> it works just fine.
How exactly do you find out? Then I might try the same on my PC.
> The full list of ciphers that gnutls clients appear to negotiate by default
> is:
>
> TLS_DHE_RSA_AES_256_CBC_SHA, TLS_DHE_RSA_AES_128_CBC_SHA,
> TLS_DHE_RSA_3DES_EDE_CBC_SHA, TLS_DHE_DSS_AES_256_CBC_SHA,
> TLS_DHE_DSS_AES_128_CBC_SHA, TLS_DHE_DSS_3DES_EDE_CBC_SHA,
> TLS_DHE_DSS_RC4_128_SHA, TLS_RSA_AES_256_CBC_SHA, TLS_RSA_AES_128_CBC_SHA,
> TLS_RSA_3DES_EDE_CBC_SHA, TLS_RSA_RC4_128_SHA, TLS_RSA_RC4_128_MD5
>
> So if you don't want to use the default cipher settings, you can perhaps
> choose one of these ciphers individually that meets your needs.
None of thise ciphers seems to work (at least in combination with
Thunderbird).
> I'm not sure if we should also try to migrate the OpenSSL-specific cipher
> specs to GNUTLS equivalents as part of the package upgrade.
That might be a good idea.
Best regards,
Timo
More information about the Pkg-openldap-devel
mailing list