Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names
Pirate Praveen
praveen at debian.org
Fri Feb 20 17:25:36 GMT 2026
On 2/20/26 7:59 PM, Pirate Praveen wrote:
> If you don't remove any incompatible options, you will see this error in
> slapd logs after the upgrade and slapd service will fail to start.
>
> main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher
> match
>
> You can run this command to see if any value is set,
>
> ldapsearch -Y EXTERNAL
> -H ldapi:/// -b cn=config -s base|grep olcTLSCipherSuite
I think we should also check for this variable and abort upgrade as
there is no way to recover it after it is upgraded (except may be
modifying the db directly) as slapd won't start.
If this is detected, we should show a warning and give the migration
steps documentation reference and ask for explicit confirmation before
proceeding with upgrade.
I just tried with olcSecurity: tls=0 before upgrade, but I'm not able to
start it with just "ldap:/// and ldapi:///" options. Is there another
way to disable TLS completely to repair an broken upgrade?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x8F53E0193B294B75.asc
Type: application/pgp-keys
Size: 4938 bytes
Desc: OpenPGP public key
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20260220/68be4e4c/attachment-0001.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20260220/68be4e4c/attachment-0001.sig>
More information about the Pkg-openldap-devel
mailing list