https://bugs.openldap.org/show_bug.cgi?id=10035
--- Comment #2 from ipuleston@sonicwall.com ipuleston@sonicwall.com --- I tracked this down to a bug in function tlso_ctx_cipher13() in tls_o.c. I added this temporary printf at the end of it where the extracted TLSv1.3 suite names are passed to OpenSSL:
printf("TLSv1.3 suites set: '%s' !!!!!!!\n", tls13_suites); if ( tls13_suites[0] ) SSL_CTX_set_ciphersuites( ctx, tls13_suites );
And with another one printing the list set via LDAP_OPT_X_TLS_CIPHER_SUITE, this is what I see from those:
Working:
Setting LDAP TLS cipher suites to '3DES:TLS_AES_128_GCM_SHA256:!eNULL' TLSv1.3 suites set: 'TLS_AES_128_GCM_SHA256' !!!!!!!
Not working:
Setting LDAP TLS cipher suites to '!eNULL:3DES:TLS_AES_128_GCM_SHA256' TLSv1.3 suites set: '3DES' !!!!!!!
It doesn't work when the last name in the list is a TLSv1.3 one. In that case it erroneously copies the preceding name into the tls13_suites.
And note that if the TLSv1.3 cipher suite name is the only one in the suites list, then it will copy whatever uninitialized garbage happens to be on the stack in sname[].
I will supply a patch shortly, once I've finished testing it.