FS#53865 - [openldap] slapd TLSCipherSuite option broken
Attached to Project:
Arch Linux
Opened by Maarten de Vries (de-vri-es) - Friday, 28 April 2017, 10:59 GMT
Last edited by Jan de Groot (JGC) - Tuesday, 15 August 2017, 11:36 GMT
Opened by Maarten de Vries (de-vri-es) - Friday, 28 April 2017, 10:59 GMT
Last edited by Jan de Groot (JGC) - Tuesday, 15 August 2017, 11:36 GMT
|
Details
Description: Trying to set a cipher suite for slapd will
result in an error with the following message:
> TLS: could not set cipher list HIGH. I also tried HIGH:MEDIUM and MEDIUM for testing, the results were the same. This is probably related to openssl 1.1.0. I tested with openldap-2.4.44-4. Compiling the 2.4.44 release manually results in the same error. The problem is gone in the latest git master. It is an upstream problem, but not being able to set a cipher list is a big problem for public LDAP servers. If there is an easy fix it may be worth applying it. According to OpenLDAP ticket 8633 [1], openssl 1.1.0 isn't supported by release 2.4.44. Someone there also says that a release candidate for 2.4.45 should work, but I couldn't find that release candidate to test. The tag OPENLDAP_REL_ENG_2_4 from the openldap git repository did seem to work correctly. [1] https://www.openldap.org/its/index.cgi/Incoming?id=8633 |
This task depends upon
Closed by Jan de Groot (JGC)
Tuesday, 15 August 2017, 11:36 GMT
Reason for closing: Fixed
Additional comments about closing: Updated to 2.4.45, uses OpenSSL 1.1 now.
Tuesday, 15 August 2017, 11:36 GMT
Reason for closing: Fixed
Additional comments about closing: Updated to 2.4.45, uses OpenSSL 1.1 now.
Comment by
Maarten de Vries (de-vri-es) -
Friday, 28 April 2017, 11:27 GMT
Comment by Jan de Groot (JGC) -
Friday, 28 April 2017, 12:54 GMT
Comment by
Maarten de Vries (de-vri-es) -
Friday, 28 April 2017, 13:15 GMT
Comment by Niklas Söderlund (neg) -
Tuesday, 11 July 2017, 09:38 GMT
Oops, I forgot the square brackets around the package name in the
summary.
The problem here is that OpenLDAP doesn't support OpenSSL 1.1 and
configure did a silent fallback to gnutls. The HIGH/MEDIUM/LOW
cipher suites are OpenSSL specific and don't work with GNUTLS.
I see, that makes sense. Note that gnutls is not listed as
dependency of openldap/libldap (not even indirectly). Lets hope
openldap quickly releases 2.4.45...
Openldap released 2.4.45 a while back, is there anything blocking
this package from being updated to fix this annoying issue?