quanah@zimbra.com wrote:
Full_Name: Quanah Gibson-Mount Version: 2.4.17 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.29.239)
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541256
OpenLDAP+gnutls worked fine for me for more than a year, but now I have TLS problems again. It started on my unstable client when libnss-ldap reported:
TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1
Then I upgraded gnutls and ldap on my server from lenny to unstable and now even slapd doesn't start:
TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1. main: TLS init def ctx failed: -1
If I comment out line which defines cipher:
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1
it works again.
$ gnutls-cli -l|grep TLS_RSA_AES_256_CBC_SHA1 TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0
...so I don't see why it shouldn't work.
This appears to be caused by our switch to using GnuTLS's cipher suite parsing functions in 2.4.14 (due to ITS#5887). The syntax that GnuTLS uses is quite different from what we were using in 2.4.13 and earlier. Also, the GnuTLS documentation on their format is misleading and just plain wrong on several points.
We can treat this as an OpenLDAP doc bug, or we can revert to the pre-ITS#5887 behavior, which still works as expected. (But then we will be incompatible with the behavior described in the current GnuTLS documentation. But of course, the doc is wrong anyway.)
For reference, the GnuTLS doc says you can list suite names in a semicolon separated list, and they may optionally be prefixed with "+" or "-" to add or remove particular elements from the list.
In fact, the list must be colon separated, and the "+" is required. Just listing the name will cause an error. Also, the actual suite names cannot be used, only the individual algorithm names are recognized. So instead of the suite name "TLS_RSA_AES_256_CBC_SHA1" you must specify "+AES-256-CBC:+SHA1". This method is more error-prone, because it makes it possible to specify a list of algorithms that do not conform to any valid suite.
All in all, it may be best to revert back to using our own suite parser and ignore the one GnuTLS provides.