Hi
Finally found the explanation :-)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921
gnutls on wheezy don't support SHA512 certificates.
The workaround is to disable the TLS1.2 cipher :
TLSCipherSuite NORMAL:-VERS-SSL3.0:-VERS-TLS1.2
Regards
Norbert
Le 17/03/2017 à 10:23, Norbert Gomes a écrit :
Hi
I need to change my certificate on a Openldap server (Debian Wheezy with the latest updates (slapd-2.4.31-2+deb7u2) but I'm facing a strange problem using ldaps protocol :
With the old certificate, I can use TLS 1.2 Cipher, but with the new one, the TLS 1.2 is not possible
I use this nmap command to see what ciphers are proposed : nmap --script ssl-enum-ciphers -p 636 <fqdn>
When using the command with the old certificate, the following cipher appears (with also a TLSv1.1 cipher) :
| TLSv1.2: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client
But when doing the same command, on the same server, with only the certificate files modified, I do not have the TLSv1.2 cipher. And no other configuration change is made on the slapd.conf file.
The certificates doesn't contain the cipher instructions, so I don't understand why I have this behavior. Any ideas ?
Regards
Norbert Gomes