Michael Ströder wrote:
On 5/5/21 2:51 AM, Howard Chu wrote:
> Michael Ströder wrote:
>> I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release
>> 2.5.4 when connecting to an 2.4 provider:
>> TLS: can't connect: error:141A90B5:SSL
>> routines:ssl_cipher_list_to_bytes:no ciphers available.
>> An 2.4.58 consumer replica works just fine.
>> There is this commit in RE25 and I'm not sure whether that introduces a
>> regression on my system:
>> ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1
>> BTW: openSUSE has implemented something like a crypto policy configuration:
>> Any clue what's going on?
> What ciphers have you configured on your client and server? What versions of OpenSSL
are running on each?
TL;DR: If I comment TLSCipherSuite in the 2.5.4 slapd.conf everything works.
It fails when setting this in slapd provider (2.4.58) *and* consumer
BTW: I didn't know that these server-side settings also affect the
This works when connecting with 2.5.4 CLI tools to 2.4.58 server:
LDAPNOINIT=1 LDAPTLS_PROTOCOL_MIN=3.3 LDAPTLS_CIPHER_SUITE=HIGH
But connecting even only with openssl s_client to 2.5.4 server does not
work with the above TLSCipherSuite settings.
All systems have OpenSSL 1.1.1k.
Then you're getting TLSv1.3 on these connections. Your ciphersuite config
has no TLSv1.3 ciphers though; cipher suite "HIGH" only affects TLSv1.2 and
When you leave the suite unconfigured, it works because the hardcoded default
in OpenSSL includes a set of TLSv1.3 suites. When you set the TLSCipherSuite
parameter, all defaults are zeroed out and then your settings are configured.
The OpenSuSE patch you pointed to also only sets the suites for TLSv1.2 and
below, it doesn't call the OpenSSL API to set TLSv1.3 suites so the hardcoded
defaults are still in effect.
Change your suite config to include some actual TLSv1.3 suites and it will be
fine. There's no bug here, just a change in OpenSSL behavior which is covered
in their documentation. https://wiki.openssl.org/index.php/TLS1.3
I've seen in other software that they've split their cipher config to use
CIPHER_LIST to configure TLSv1.2 and below, and CIPHER_SUITE to configure
TLSv1.3. Since our config keyword already uses CIPHERSUITE our approach was
simply to use it for both, scanning the provided string for TLSv1.3 suite
names before doing the usual TLSv1.2 processing. This behavior is also in
accordance with OpenSSL's own tools, which always list the TLSv1.3 ciphers
along with the TLSv1.2 ciphers when you query it for configured cipher suites.
I.e., even though OpenSSL itself configures them separately, it always displays
the configuration as a single list, so conceptually, for us anyway, it is
still a single parameter list.
/etc/crypto-policies/back-ends/openssl.config points to
/usr/share/crypto-policies/DEFAULT/openssl.txt which has this single line:
Not sure what is really affected by this file.
You can see how RPMs are built in OBS:
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/