[Pkg-openldap-devel] Bug#541256: TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1

Vedran Furač vedranf at vedranf.mine.nu
Wed Aug 12 19:06:52 UTC 2009 

Package: slapd
Version: 2.4.17-1
Severity: important

OpenLDAP+gnutls worked fine for me for more than a year, but now I have
TLS problems again. It started on my unstable client when libnss-ldap
reported:

TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1

Then I upgraded gnutls and ldap on my server from lenny to unstable and
now even slapd doesn't start:

TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1.
main: TLS init def ctx failed: -1

If I comment out line which defines cipher:

TLSCipherSuite     TLS_RSA_AES_256_CBC_SHA1

it works again.

$ gnutls-cli -l|grep TLS_RSA_AES_256_CBC_SHA1
TLS_RSA_AES_256_CBC_SHA1     0x00, 0x35      SSL3.0

...so I don't see why it shouldn't work.

Thanks, bye!


-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (990, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=hr_HR.UTF-8, LC_CTYPE=hr_HR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages slapd depends on:
ii  adduser                   3.110          add and remove users and groups
ii  coreutils                 6.10-6         The GNU core utilities
ii  debconf [debconf-2.0]     1.5.24         Debian configuration
management sy
ii  libc6                     2.9-23         GNU C Library: Shared libraries
ii  libdb4.7                  4.7.25-7       Berkeley v4.7 Database
Libraries [
ii  libgnutls26               2.6.6-1        the GNU TLS library -
runtime libr
ii  libldap-2.4-2             2.4.17-1       OpenLDAP libraries
ii  libltdl7                  2.2.6a-4       A system independent dlopen
wrappe
ii  libperl5.10               5.10.0-19      Shared Perl library
ii  libsasl2-2                2.1.23.dfsg1-1 Cyrus SASL - authentication
abstra
ii  libslp1                   1.2.1-7.5      OpenSLP libraries
ii  libwrap0                  7.6.q-16       Wietse Venema's TCP
wrappers libra
ii  perl [libmime-base64-perl 5.10.0-19      Larry Wall's Practical
Extraction
ii  psmisc                    22.6-1         Utilities that use the proc
filesy
ii  unixodbc                  2.2.11-16      ODBC tools libraries

Versions of packages slapd recommends:
ii  libsasl2-modules          2.1.23.dfsg1-1 Cyrus SASL - pluggable
authenticat

Versions of packages slapd suggests:
ii  ldap-utils                    2.4.17-1   OpenLDAP utilities

-- debconf information:
* slapd/tlsciphersuite:
  slapd/fix_directory: true
  shared/organization: nodomain
  slapd/upgrade_slapcat_failure:
  slapd/backend: BDB
  slapd/allow_ldap_v2: false
  slapd/no_configuration: false
  slapd/move_old_database: true
  slapd/suffix_change: false
  slapd/slave_databases_require_updateref:
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/autoconf_modules: true
  slapd/domain: nodomain
  slapd/password_mismatch:
  slapd/invalid_config: true
  slapd/slurpd_obsolete:
  slapd/upgrade_slapadd_failure:
  slapd/dump_database: when needed
  slapd/migrate_ldbm_to_bdb: false
  slapd/purge_database: false

More information about the Pkg-openldap-devel mailing list