[Pkg-openldap-devel] Bug#541256: Bug#541256: Bug#541256: TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1

Quanah Gibson-Mount quanah at zimbra.com
Thu Aug 13 00:19:15 UTC 2009


--On Thursday, August 13, 2009 2:12 AM +0200 Vedran Furač 
<vedranf at vedranf.mine.nu> wrote:


>> Please see the upstream comments.  The issue is broken behavior on
>> GnuTLS'  part.
>
> Ah... I see. Thanks for forwarding it! Anyway, I tried his suggestion
> and changed slapd.conf on server side and libnss/pam_ldap.conf/ldap.conf
> on client to have:
>
> TLSCipherSuite     +AES-256-CBC:+SHA1
>
> Now slapd starts, but connection (e.g. getent passwd) to it fails with:
>
> TLS: can't connect: No supported cipher suites have been found..
>
> And ldapsearch -ZZ:
>
> TLS: can't connect: A TLS packet with unexpected length was received.


Sadly, this is likely yet another case of broken behavior on GnuTLS' part, 
of which there are growing numbers, like 
<http://www.openldap.org/its/index.cgi/?findid=6252>. I'd recommend 
building your own openldap server and clients using OpenSSL, which is known 
to actually work.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration





More information about the Pkg-openldap-devel mailing list