FS#53865 - [openldap] slapd TLSCipherSuite option broken

Attached to Project: Arch Linux
Opened by Maarten de Vries (de-vri-es) - Friday, 28 April 2017, 10:59 GMT
Last edited by Jan de Groot (JGC) - Tuesday, 15 August 2017, 11:36 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Sébastien Luttringer (seblu)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

Description: Trying to set a cipher suite for slapd will result in an error with the following message:
> TLS: could not set cipher list HIGH.

I also tried HIGH:MEDIUM and MEDIUM for testing, the results were the same. This is probably related to openssl 1.1.0.

I tested with openldap-2.4.44-4. Compiling the 2.4.44 release manually results in the same error. The problem is gone in the latest git master. It is an upstream problem, but not being able to set a cipher list is a big problem for public LDAP servers. If there is an easy fix it may be worth applying it.

According to OpenLDAP ticket 8633 [1], openssl 1.1.0 isn't supported by release 2.4.44. Someone there also says that a release candidate for 2.4.45 should work, but I couldn't find that release candidate to test. The tag OPENLDAP_REL_ENG_2_4 from the openldap git repository did seem to work correctly.

[1] https://www.openldap.org/its/index.cgi/Incoming?id=8633
This task depends upon

Closed by  Jan de Groot (JGC)
Tuesday, 15 August 2017, 11:36 GMT
Reason for closing:  Fixed
Additional comments about closing:  Updated to 2.4.45, uses OpenSSL 1.1 now.
Comment by Maarten de Vries (de-vri-es) - Friday, 28 April 2017, 11:27 GMT
Oops, I forgot the square brackets around the package name in the summary.
Comment by Jan de Groot (JGC) - Friday, 28 April 2017, 12:54 GMT
The problem here is that OpenLDAP doesn't support OpenSSL 1.1 and configure did a silent fallback to gnutls. The HIGH/MEDIUM/LOW cipher suites are OpenSSL specific and don't work with GNUTLS.
Comment by Maarten de Vries (de-vri-es) - Friday, 28 April 2017, 13:15 GMT
I see, that makes sense. Note that gnutls is not listed as dependency of openldap/libldap (not even indirectly). Lets hope openldap quickly releases 2.4.45...
Comment by Niklas Söderlund (neg) - Tuesday, 11 July 2017, 09:38 GMT
Openldap released 2.4.45 a while back, is there anything blocking this package from being updated to fix this annoying issue?

Loading...