Thanks for the reply,
I am trying to disable all the ciphers and then only enable the ciphers captured by the HIGH, SSLv3, TLSv1, MEDIUM, and SSLv2 list (these are maintained by the openssl guys i think... http://www.openssl.org/docs/apps/ciphers.html ). Explicitly turning off the NULL ciphers. Whenever possible I want to try and use SHA digests instead of MD5 since MD5 is no longer the approved digest, but those are preferred above non-digested ciphers (which are not present in SSLv2 and later, but...).
After poking about the net a bit more (thanks to the Ah Ha of the ! that you listed below) I have revised this to HIGH:+SSLv3:+TLSv1:MEDIUM: +SSLv2:!aNULL:!NULL:@STRENGTH:+SHA:+MD5
Which yields # openssl ciphers -v 'HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:! aNULL:!NULL:@STRENGTH:+SHA:+MD5' DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
This tells me that now I am actually selecting a valid cipher list, but the start-up problem remains.
TLS: could not set cipher list HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!aNULL:! NULL:@STRENGTH:+SHA:+MD5. main: TLS init def ctx failed: -1 slapd destroy: freeing system resources. slapd stopped.
OpenLDAP 2.4.7-5 on Debian x86 installed from apt Pat
On Mon, 2008-03-24 at 12:44 -0600, Philip Guenther wrote:
On Mon, 24 Mar 2008, Pat Riehecky wrote:
I am trying to limit the cipher list for TLS negotiations, but I don't seem to be able to do this.....
...
TLS: could not set cipher list !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:! aNULL:!NULL:+SHA:+MD5. main: TLS init def ctx failed: -1
You can test your cipher list expression by passing it to the "openssl ciphers" command:
$ openssl ciphers -v !ALL:HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:!aNULL:!NULL:+SHA:+MD5 Error in cipher list 16507:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/usr/src/lib/libssl/src/ssl/ssl_lib.c:1144: $
So your cipher list disables all the ciphers. The error is in the first term: If `!' is used, then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are ex- plicitly stated.
So, your "!ALL" completely removes the "ALL" ciphers from the list and nothing can reinsert them after that.
Offhand, it's not clear what you're trying to accomplish with that cipher list expression, so it's not clear what the right 'fix' is.
Philip Guenther