[Pkg-openldap-devel] Bug#784179: slapd: libnet-ldap-perl fails to communicate with slapd using start_tls for TLSCipherSuite SECURE256

GALAMBOS Daniel dancsa at dancsa.hu
Sun May 3 23:39:45 UTC 2015 

I also tried debug it a little.

Dumping the network connection I noticed that if start_tls used from
Net::Ldap, the Client Hello packet cipher suit list does not contain
anything with SHA2 MD, only SHA1.
# gnutls-cli --priority SECURE256 -l command doesn't list anything with
sha1. After receiving the Client Hello, slapd sends back FIN ACK and logs:
TLS: can't accept: Could not negotiate a supported cipher suite..
5546abc3 connection_read(16): TLS accept failure error=-1 id=1001, closing

When connecting from Net::LDAPS over TLS (636) the Client Hello's cipher
suit list contains lot more entries and use 'Cipher Suite:
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)'

Attaching the two pcap files.

This is more likely the libnet-ldap-perl's or the ssl library's problem
that the perl module uses.

Dancsa

On 05/04/2015 12:17 AM, Christian wrote:
> On Sun, 3 May 2015 15:05:48 -0700 Ryan Tandy <ryan at nardis.ca> wrote:
>> Control: tag -1 confirmed
>>
>> On Sun, May 03, 2015 at 11:39:05PM +0200, Christian Ospelkaus wrote:
>>> The perl module Net::LDAP in jessie fails to talk to an slapd on jessie using
>>> start_tls. Net::LDAP in jessie can, however, talk to an slapd running on
>>> wheezy.
>>
>> Thanks for the report. I confirm that behaviour and will take a closer 
>> look as soon as I can. It looks like it does work if I don't set 
>> olcTLSCipherSuite at all, so I wonder if the SECURE256 setting simply 
>> has no ciphers in common with Net::LDAP's defaults?
> 
> Thanks for the quick reply. Sorry I filed the report using a local email
> address. Please use chanlists at googlemail.com
> 
> From the libnet-ldap-perl documentation:
> 
> Net::LDAPS will by default use all the algorithms built into your copy
> of OpenSSL, except for ones considered to use "low" strength
> encryption, and those using export strength encryption. You can
> override this when you create the Net::LDAPS object using the
> 'ciphers' option.
> 
> I briefly looked at it, but I could not see how it would select specific
> ciphers. Thanks,
> 
> Christian
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-startls.pcap
Type: application/vnd.tcpdump.pcap
Size: 1354 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150504/1e2b9699/attachment.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-tls.pcap
Type: application/vnd.tcpdump.pcap
Size: 4786 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150504/1e2b9699/attachment-0001.pcap>

More information about the Pkg-openldap-devel mailing list