https://bugs.openldap.org/show_bug.cgi?id=9546
Issue ID: 9546
Summary: error:141A90B5:SSL
routines:ssl_cipher_list_to_bytes:no ciphers available
Product: OpenLDAP
Version: 2.5.4
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: michael(a)stroeder.com
Target Milestone: ---
TL;DR:
TLSCipherSuite HIGH in slapd.conf results in this error message both for
incoming connections and out-going syncrepl connections:
error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available.
If I comment TLSCipherSuite in the 2.5.4 slapd.conf everything works.
Details:
It fails when setting this in slapd provider (2.4.58) *and* consumer
(2.5.4):
TLSProtocolMin 3.3
TLSCipherSuite HIGH
This works when connecting with 2.5.4 CLI tools to 2.4.58 server:
LDAPNOINIT=1 LDAPTLS_PROTOCOL_MIN=3.3 LDAPTLS_CIPHER_SUITE=HIGH
/opt/openldap-ms/bin/ldapwhoami ..
But connecting even only with openssl s_client to 2.5.4 server does not
work with the above TLSCipherSuite settings.
All systems have OpenSSL 1.1.1k. The symlink
/etc/crypto-policies/back-ends/openssl.config points to
/usr/share/crypto-policies/DEFAULT/openssl.txt which has this single line:
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Not sure what is really affected by this file.
You can see how RPMs are built in OBS:
https://build.opensuse.org/package/show/security:tls/openssl-1_1https://build.opensuse.org/package/show/home:stroeder:openldap25/openldap-ms
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9602
Issue ID: 9602
Summary: Remove the build warnings in tls_o.c
Product: OpenLDAP
Version: 2.5.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: Bin.Lan(a)windriver.com
Target Milestone: ---
Created attachment 829
--> https://bugs.openldap.org/attachment.cgi?id=829&action=edit
the issue fix patch
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9601
Issue ID: 9601
Summary: Remove the build warnings in tpool.c
Product: OpenLDAP
Version: 2.5.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: Bin.Lan(a)windriver.com
Target Milestone: ---
Created attachment 828
--> https://bugs.openldap.org/attachment.cgi?id=828&action=edit
the issue patch
tpool.c:721:12: warning: 8 enumeration values not handled in switch:
'LDAP_PVT_THREAD_POOL_PARAM_UNKNOWN', 'LDAP_PVT_THREAD_POOL_PARAM_MAX',
'LDAP_PVT_THREAD_POOL_PARAM_MAX_PENDING'... [-Wswitch]
switch(param) {
^
1 warning generated.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9578
Issue ID: 9578
Summary: Buffer overflow at libraries/libldap/ldif.c:907
(ldif_read_record)
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: grapvar(a)gmail.com
Target Milestone: ---
Created attachment 827
--> https://bugs.openldap.org/attachment.cgi?id=827&action=edit
fix
libraries/libldap/ldif.c:829
> /* Squash \r\n to \n */
> if ( len > 1 && line[len-2] == '\r' ) {
> len--;
> line[len-1] = '\n';
> }
may cause buffer overflow at
libraries/libldap/ldif.c:907
> strcpy( *bufp + lcur, line );
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9591
Issue ID: 9591
Summary: Solaris builds broken due to map file
Product: OpenLDAP
Version: 2.5.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: build
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
Solaris 11.4 fails to build because it uses a different option for the library
symbol versioning map file. We need to detect this and provide the correct
option (more at
https://blogs.oracle.com/solaris/regex_and_glob_for_mapfiles-v2)
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9220
Bug ID: 9220
Summary: Rewrite Bind and Exop result handling
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
Bind and Exop result handling needs a rewrite so it is no longer a special case
for overlays.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=9593
Issue ID: 9593
Summary: excessive null check in set_chase()
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: grapvar(a)gmail.com
Target Milestone: ---
Looks like slap_set_join( cp, nset, '|', vals ) can't return null, so return
value at line 411 should be treated like one at line 402:
servers/slapd/sets.c:399, set_chase():
for ( i = 0; !BER_BVISNULL( &set[ i ] ); i++ ) {
vals = gatherer( cp, &set[ i ], desc );
if ( vals != NULL ) {
/*402: */ nset = slap_set_join( cp, nset, '|', vals );
}
}
ber_bvarray_free_x( set, cp->set_op->o_tmpmemctx );
if ( closure ) {
for ( i = 0; !BER_BVISNULL( &nset[ i ] ); i++ ) {
vals = gatherer( cp, &nset[ i ], desc );
if ( vals != NULL ) {
/*411: */ nset = slap_set_join( cp, nset, '|', vals );
if ( nset == NULL ) {
break;
}
}
}
}
diff --git a/servers/slapd/sets.c b/servers/slapd/sets.c
index fc7b72c8b..17a6ec2c1 100644
--- a/servers/slapd/sets.c
+++ b/servers/slapd/sets.c
@@ -409,9 +409,6 @@ set_chase( SLAP_SET_GATHER gatherer,
vals = gatherer( cp, &nset[ i ], desc );
if ( vals != NULL ) {
nset = slap_set_join( cp, nset, '|', vals );
- if ( nset == NULL ) {
- break;
- }
If I'm wrong, return value at line 402 must be checked for null.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9431
Issue ID: 9431
Summary: back-mdb: Always have an equality index for
objectClass
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: backends
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
Data storage backends require an equality index on objectClass to function
correctly. As this is a hard requirement it should be automatic with back-mdb.
Why this wasn't done in the past with other backends isn't exactly clear, it
may have been due to their requirements to have additional cache layers. That
however is not necessary with back-mdb.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9284
Issue ID: 9284
Summary: Need man page for vc contrib overlay
Product: OpenLDAP
Version: 2.4.50
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: contrib
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
The verified credentials overlay in contrib is missing a man page describing
its purpose
--
You are receiving this mail because:
You are on the CC list for the issue.