On 5/5/21 2:51 AM, Howard Chu wrote:
Michael Ströder wrote:
I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release 2.5.4 when connecting to an 2.4 provider:
TLS: can't connect: error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available.
An 2.4.58 consumer replica works just fine.
There is this commit in RE25 and I'm not sure whether that introduces a regression on my system:
b72bce2400ce303766f355a1dd37f4012754c942 ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1
BTW: openSUSE has implemented something like a crypto policy configuration:
https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openss...
Any clue what's going on?
What ciphers have you configured on your client and server? What versions of OpenSSL are running on each?
TL;DR: If I comment TLSCipherSuite in the 2.5.4 slapd.conf everything works.
It fails when setting this in slapd provider (2.4.58) *and* consumer (2.5.4):
TLSProtocolMin 3.3 TLSCipherSuite HIGH
BTW: I didn't know that these server-side settings also affect the syncrepl-client config.
This works when connecting with 2.5.4 CLI tools to 2.4.58 server:
LDAPNOINIT=1 LDAPTLS_PROTOCOL_MIN=3.3 LDAPTLS_CIPHER_SUITE=HIGH /opt/openldap-ms/bin/ldapwhoami ..
But connecting even only with openssl s_client to 2.5.4 server does not work with the above TLSCipherSuite settings.
All systems have OpenSSL 1.1.1k. The symlink /etc/crypto-policies/back-ends/openssl.config points to /usr/share/crypto-policies/DEFAULT/openssl.txt which has this single line:
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Not sure what is really affected by this file.
You can see how RPMs are built in OBS:
https://build.opensuse.org/package/show/security:tls/openssl-1_1
https://build.opensuse.org/package/show/home:stroeder:openldap25/openldap-ms
Ciao, Michael.