https://bugs.openldap.org/show_bug.cgi?id=9546

Issue ID: 9546 Summary: error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available Product: OpenLDAP Version: 2.5.4 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: michael@stroeder.com Target Milestone: ---

TL;DR:

TLSCipherSuite HIGH in slapd.conf results in this error message both for incoming connections and out-going syncrepl connections:

error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available.

If I comment TLSCipherSuite in the 2.5.4 slapd.conf everything works.

Details:

It fails when setting this in slapd provider (2.4.58) *and* consumer (2.5.4):

TLSProtocolMin 3.3 TLSCipherSuite HIGH

This works when connecting with 2.5.4 CLI tools to 2.4.58 server:

LDAPNOINIT=1 LDAPTLS_PROTOCOL_MIN=3.3 LDAPTLS_CIPHER_SUITE=HIGH /opt/openldap-ms/bin/ldapwhoami ..

But connecting even only with openssl s_client to 2.5.4 server does not work with the above TLSCipherSuite settings.

All systems have OpenSSL 1.1.1k. The symlink /etc/crypto-policies/back-ends/openssl.config points to /usr/share/crypto-policies/DEFAULT/openssl.txt which has this single line:

@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

Not sure what is really affected by this file.

You can see how RPMs are built in OBS:

https://build.opensuse.org/package/show/security:tls/openssl-1_1

https://build.opensuse.org/package/show/home:stroeder:openldap25/openldap-ms