Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names

Thu Feb 19 12:29:55 GMT 2026

On 2/19/26 3:30 PM, Ondřej Kuzník wrote:
> On Thu, Feb 19, 2026 at 04:43:25AM +0530, Pirate Praveen wrote:
>> New version of slapd switched SSL backend to OpenSSL from GNUtls as documented
>> in libldap2 NEWS file.
>>
>> But how to actually update the values in a way that will fix the issue is not
>> documented.
>>
>>     * What outcome did you expect instead?
>>
>> The exact steps to have a successful upgrade should be documented.
>>
>> Here is the error in log,
>>
>> main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher match
>>
>> In bookworm the value that works is,
>>
>> olcTLSCipherSuite: NORMAL
>>
>> But it will not work in trixie. Removing this entry did not fix the issue.
>>
>> # cat delete-ciphers.ldif
>> dn: cn=config
>> changetype: modify
>> delete: olcTLSCipherSuite
>> olcTLSCipherSuite: NORMAL
>>
>> ldapmodify -Y EXTERNAL -H ldapi:/// -f ./delete-ciphers.ldif
>>
>> This just removes the error message, but slapd does not start after the
>> upgrade.
>>
>> 2026-02-18T11:14:57.877705-08:00 comms-staging slapd[15509]: @(#) $OpenLDAP:
>> slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $#012#011Debian OpenLDAP Maintainers
>> <pkg-openldap-devel at lists.alioth.debian.org>
>> 2026-02-18T11:14:57.937406-08:00 comms-staging slapd[15510]: slapd starting
>> 2026-02-18T11:14:57.938339-08:00 comms-staging slapd[15510]: daemon: shutdown
>> requested and initiated.
>> 2026-02-18T11:14:57.938506-08:00 comms-staging slapd[15510]: slapd shutdown:
>> waiting for 0 operations/tasks to finish
>> 2026-02-18T11:14:57.939951-08:00 comms-staging slapd[15510]: slapd stopped.
> 
> Good morning,
> like you said, can't see any errors here, however some library messages
> are not sent to syslog so you might get more details about the error
> from stderr. You should probably run slaptest with the appropriate debug
> flags enabled (`-d flag,flag,...`, should probably include at least
> `config`) to check that it's happy with the rest of the configuration
> and see whether anything else comes up.
> 

Nothing turned up with slaptest -d config

# slaptest -d config
loaded module back_mdb
module back_mdb: null module registered
index objectClass 0x0004
index cn 0x0004
index uid 0x0004
index uidNumber 0x0004
index gidNumber 0x0004
index member 0x0004
index memberUid 0x0004
index email 0x0004
index mail 0x0004
mdb_monitor_db_open: monitoring disabled; configure monitor datab
ase to enable
config file testing succeeded

> Other than that, yes, you can generally remove the attribute before
> upgrade and either leave it to whatever OpenSSL considers default or add
> whatever is appropriate for your environment after you've switched. Same
> with any other attributes you might come across this way.

With slaptest not giving any errors, I wonder which other attribute is 
problematic.

These are the other options we set,

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

I will try deleting these one by one as well (deleting olcTLSCipherSuite 
was tried already).

> Regards,
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x8F53E0193B294B75.asc
Type: application/pgp-keys
Size: 4938 bytes
Desc: OpenPGP public key
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20260219/6501de14/attachment.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20260219/6501de14/attachment.sig>