[Pkg-openldap-devel] Bug#784179: slapd: libnet-ldap-perl fails to communicate with slapd using start_tls for TLSCipherSuite SECURE256

Mon May 4 00:21:24 UTC 2015

reassign 784179 libnet-ldap-perl
thanks

Reassigning to libnet-ldap-perl because the problem  doesn't have
anything to do with slapd if i'm correct.

You can get the Net::LDAP to connect with startSSL if you specify the
sslversion as TLS1.2 ie.
$ldap->start_tls('sslversion'=>'TLSv1_2' );

LDAP.pm:1103 restricts the TLS version to 1.0 unless otherwise
specified. This restriction doesn't apply if you connect over LDAPS, if
you don't specify the sslversion there, the IO::Socket::SSL default
'SSLv23:!SSLv3:!SSLv2' is used, so TLSv1_2 enabled too.

Dancsa

On 05/04/2015 01:39 AM, GALAMBOS Daniel wrote:
> I also tried debug it a little.
> 
> Dumping the network connection I noticed that if start_tls used from
> Net::Ldap, the Client Hello packet cipher suit list does not contain
> anything with SHA2 MD, only SHA1.
> # gnutls-cli --priority SECURE256 -l command doesn't list anything with
> sha1. After receiving the Client Hello, slapd sends back FIN ACK and logs:
> TLS: can't accept: Could not negotiate a supported cipher suite..
> 5546abc3 connection_read(16): TLS accept failure error=-1 id=1001, closing
> 
> When connecting from Net::LDAPS over TLS (636) the Client Hello's cipher
> suit list contains lot more entries and use 'Cipher Suite:
> TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)'
> 
> Attaching the two pcap files.
> 
> This is more likely the libnet-ldap-perl's or the ssl library's problem
> that the perl module uses.
> 
> Dancsa
> 
> On 05/04/2015 12:17 AM, Christian wrote:
>> On Sun, 3 May 2015 15:05:48 -0700 Ryan Tandy <ryan at nardis.ca> wrote:
>>> Control: tag -1 confirmed
>>>
>>> On Sun, May 03, 2015 at 11:39:05PM +0200, Christian Ospelkaus wrote:
>>>> The perl module Net::LDAP in jessie fails to talk to an slapd on jessie using
>>>> start_tls. Net::LDAP in jessie can, however, talk to an slapd running on
>>>> wheezy.
>>>
>>> Thanks for the report. I confirm that behaviour and will take a closer 
>>> look as soon as I can. It looks like it does work if I don't set 
>>> olcTLSCipherSuite at all, so I wonder if the SECURE256 setting simply 
>>> has no ciphers in common with Net::LDAP's defaults?
>>
>> Thanks for the quick reply. Sorry I filed the report using a local email
>> address. Please use chanlists at googlemail.com
>>
>> From the libnet-ldap-perl documentation:
>>
>> Net::LDAPS will by default use all the algorithms built into your copy
>> of OpenSSL, except for ones considered to use "low" strength
>> encryption, and those using export strength encryption. You can
>> override this when you create the Net::LDAPS object using the
>> 'ciphers' option.
>>
>> I briefly looked at it, but I could not see how it would select specific
>> ciphers. Thanks,
>>
>> Christian
>>