[Pkg-openssl-devel] Bug#1027830: openssl: starttls fails on our LDAP server on bullseye, but it works on buster

[Jonathan]

Package: openssl
Version: 1.1.1k-1
Severity: normal

Dear Maintainer,

   * What led up to the situation?

After trying to update to bullseye, connecting to our LDAP server no longer works, both with pam_ldap package as well as using ldapsearch from ldap-utils.


   * What exactly did you do (or not do) that was effective (or
     ineffective)?
On Debian 9 or 10, or on Ubuntu 22.04, our configuration works and ldapsearch with the -ZZ flag works. 
On Debian 11, it does not. I've tried installing the version of the openssl package that Debian 10 uses on a Debian 11 system, but still it didn't work. 
Querying the server with the following command works perfectly:

openssl s_client -starttls ldap -connect <hostname>:<port>

The output of this command says amongst other things "SSL handshake has read 4692 bytes and written 436 bytes. Verification: OK" and lists the full certificate chain. 
If adding the -showcerts flag, all certificates in the chain are shown succesfully.


   * What was the outcome of this action?
ldapsearch gives the following output: 

ldap_start_tls: Connect error (-11)
        additional info: (unknown error code)


   * What outcome did you expect instead?

It should query the LDAP server and successfully return data.


-- System Information:
Debian Release: 11.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.83-1-pve (SMP w/1 CPU thread)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssl depends on:
ii  libc6      2.31-13
ii  libssl1.1  1.1.1k-1

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20210119

-- no debconf information