[Pkg-openldap-devel] Bug#648056: Openldap fails to use existing cipher TLS_RSA_3DES_EDE_CBC_SHA1

Christophe Ségui christophe.segui at math.univ-toulouse.fr
Tue Nov 8 17:12:18 UTC 2011 

Package: slapd
Version: 2.4.23-7.2


Openldap refuses to use cipher TLS_RSA_3DES_EDE_CBC_SHA1 when the cipher is available to the system.

 Here is the output of gnutls-cli:

ldap3:/etc/ldap# gnutls-cli -l | grep TLS_RSA_3DES_EDE_CBC_SHA1
TLS_RSA_3DES_EDE_CBC_SHA1                         	0x00, 0x0a	SSL3.0


and gnutls-serv

ldap3:/etc/ldap# gnutls-serv -l | grep TLS_RSA_3DES_EDE_CBC_SHA1
TLS_RSA_3DES_EDE_CBC_SHA1                         	0x00, 0x0a	SSL3.0



and openldap refuses to start when this cipher is used (and only this one) :

ldap3:/etc/ldap# /usr/sbin/slapd -h ldap:/// ldaps:/// ldapi:/// -g openldap -u openldap -d9

[…]
TLS: could not set cipher list TLS_RSA_3DES_EDE_CBC_SHA1.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
syncinfo_free: rid=124
slapd stopped.
connections_destroy: nothing to destroy.



Here is the TLS relevant part of slapd.conf:

TLSCertificateFile /etc/ldap/ldap3.math.ups-tlse.fr.pem
TLSCertificateKeyFile /etc/ldap/ldap3.math.ups-tlse.fr.key
TLSCACertificateFile /etc/ldap/CNRS2-Standard.crt.full.tls
TLSCipherSuite TLS_RSA_3DES_EDE_CBC_SHA1



Here are the version of libldap, libgnutls26:

ii  libgnutls26           2.8.6-1               the GNU TLS library - runtime library
ii  libldap-2.4-2         2.4.23-7.2            OpenLDAP libraries



Best Regards,
_______________________________________

Christophe Ségui
Responsable de Service
Service Informatique
Institut de Mathématiques de Toulouse - UMR 5219
Université de Toulouse, CNRS


UNIVERSITE PAUL SABATIER
BAT 1R3 bur 221
118 Route de Narbonne
31062 Toulouse Cedex 9 

tel : 05.61.55.63.78	fax :05.61.55.75.99
_______________________________________

Economisez de l'énergie, du papier et de l'encre, n'imprimez ce message que si nécessaire. Pour en savoir plus consultez www.ecoinfo.cnrs.fr





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20111108/4f6eb159/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2830 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20111108/4f6eb159/attachment.bin>

More information about the Pkg-openldap-devel mailing list