Hi

Finally found the explanation :-)

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921

gnutls on wheezy don't support SHA512 certificates.

The workaround is to disable the TLS1.2 cipher :

TLSCipherSuite NORMAL:-VERS-SSL3.0:-VERS-TLS1.2

Regards

Norbert



Le 17/03/2017 à 10:23, Norbert Gomes a écrit :
Hi

I need to change my certificate on a Openldap server (Debian Wheezy with
the latest updates (slapd-2.4.31-2+deb7u2) but I'm facing a strange
problem using ldaps protocol :

With the old certificate, I can use TLS 1.2 Cipher, but with the new
one, the TLS 1.2 is not possible

I use this nmap command to see what ciphers are proposed :
nmap --script ssl-enum-ciphers -p 636 <fqdn>


When using the command with the old certificate, the following cipher
appears (with also a TLSv1.1 cipher) :

|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client


But when doing the same command, on the same server, with only the
certificate files modified, I do not have the TLSv1.2 cipher. And no
other configuration change is made on the slapd.conf file.


The certificates doesn't contain the cipher instructions, so I don't
understand why I have this behavior.
Any ideas ?

Regards

Norbert Gomes