[Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Same problem

[T.A. van Roermund]

Steve Langasek wrote:
> Well, I can reproduce the problem when using this value for TLSCipherSuite.
> But why would you set this value, rather than leaving TLSCipherSuite blank
> to use the default?  I don't see the point of listing *all* the cipher types
> if you don't intend to exclude some of them.

If I leave it blank, it still doesn't work. The behaviour is then 
exactly equal to the current situation.

> Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2", not
> "$cipher1 $cipher2"; but setting such values gives me a hang on startup
> (which should be investigated).

I can confirm that, the reason why I left out the ":" is this hang. I 
thought that maybe gnutls parses the string differently and needs spaces 
in between, that's why I replaced those characters with spaces. Anyway, 
do you file a bug report for this hang?

> I see that if I leave the cipher list blank, gnutls-cli negotiates
> TLS_RSA_AES_256_CBC_SHA; so if I set TLSCipherSuite TLS_RSA_AES_256_CBC_SHA,
> it works just fine.

How exactly do you find out? Then I might try the same on my PC.

> The full list of ciphers that gnutls clients appear to negotiate by default
> is:
> 
>   TLS_DHE_RSA_AES_256_CBC_SHA, TLS_DHE_RSA_AES_128_CBC_SHA,
>   TLS_DHE_RSA_3DES_EDE_CBC_SHA, TLS_DHE_DSS_AES_256_CBC_SHA,
>   TLS_DHE_DSS_AES_128_CBC_SHA, TLS_DHE_DSS_3DES_EDE_CBC_SHA,
>   TLS_DHE_DSS_RC4_128_SHA, TLS_RSA_AES_256_CBC_SHA, TLS_RSA_AES_128_CBC_SHA,
>   TLS_RSA_3DES_EDE_CBC_SHA, TLS_RSA_RC4_128_SHA, TLS_RSA_RC4_128_MD5
 >
> So if you don't want to use the default cipher settings, you can perhaps
> choose one of these ciphers individually that meets your needs.

None of thise ciphers seems to work (at least in combination with 
Thunderbird).

> I'm not sure if we should also try to migrate the OpenSSL-specific cipher
> specs to GNUTLS equivalents as part of the package upgrade.

That might be a good idea.

Best regards,

Timo