Good Day,

Working on moving from RHEL6 to RHEL8.  Given the drop in support for openldap in RHEL8 I've installed the symas-openldap distros.

Here are the versions in play: 

cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.2 (Ootpa)

sudo yum list installed | grep openldap
openldap.x86_64                                       2.4.46-9.el8                           @rhel-8-for-x86_64-baseos-rpms      
symas-openldap.x86_64                                 2.4.55-1.el8                           @sofl                              
symas-openldap-clients.x86_64                         2.4.55-1.el8                           @sofl                              
symas-openldap-servers.x86_64                         2.4.55-1.el8                           @sofl                            

$ openssl version
OpenSSL 1.1.1c FIPS  28 May 2019

I can't get any TLS connections to succeed, even if I try ldapsearch from the local (ldap server) host.  The net error is cipher incompatibility;  here's the output from a local ldapsearch:

ldap_url_parse_ext(ldaps://dev-pnldap1.net.isc.upenn.edu:636)
ldap_create
ldap_url_parse_ext(ldaps://dev-pnldap1.net.isc.upenn.edu:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dev-pnldap1.net.isc.upenn.edu:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 130.91.185.254:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I had slapd running in foreground for that ldapsearch, here's the output:
TLS trace: SSL_accept:before SSL initialization
tls_read: want=5, got=5
  0000:  16 03 01 01 26                                     ....&            
tls_read: want=294, got=294
  0000:  01 00 01 22 03 03 cb 02  a0 2f ea 25 ad d7 c9 8e   ..."...../.%....  
  0010:  f0 32 a4 1e a9 46 be af  48 9e e6 23 53 44 d2 f7   .2...F..H..#SD..  
  0020:  e0 9d 99 82 50 17 20 dd  fa 96 00 76 ab ce a7 ec   ....P. ....v....  
  0030:  2b b9 e6 51 e0 77 78 2d  ca 73 4c f4 eb 62 ed 62   +..Q.wx-.sL..b.b  
  0040:  97 3b d4 ea ea 16 ab 00  48 13 02 13 03 13 01 13   .;......H.......  
  0050:  04 c0 2c c0 30 cc a9 cc  a8 c0 ad c0 2b c0 2f c0   ..,.0.......+./.  
  0060:  ac c0 23 c0 27 c0 0a c0  14 c0 09 c0 13 00 9d c0   ..#.'...........  
  0070:  9d 00 9c c0 9c 00 3d 00  3c 00 35 00 2f 00 9f cc   ......=.<.5./...  
  0080:  aa c0 9f 00 9e c0 9e 00  6b 00 67 00 39 00 33 00   ........k.g.9.3.  
  0090:  ff 01 00 00 91 00 0b 00  04 03 00 01 02 00 0a 00   ................  
  00a0:  0c 00 0a 00 1d 00 17 00  1e 00 19 00 18 00 23 00   ..............#.  
  00b0:  00 00 16 00 00 00 17 00  00 00 0d 00 30 00 2e 04   ............0...  
  00c0:  03 05 03 06 03 08 07 08  08 08 09 08 0a 08 0b 08   ................  
  00d0:  04 08 05 08 06 04 01 05  01 06 01 03 03 02 03 03   ................  
  00e0:  01 02 01 03 02 02 02 04  02 05 02 06 02 00 2b 00   ..............+.  
  00f0:  05 04 03 04 03 03 00 2d  00 02 01 01 00 33 00 26   .......-.....3.&  
  0100:  00 24 00 1d 00 20 8a 31  32 cf fd 40 46 5d aa b6   .$... .12..@F]..  
  0110:  4b 31 fb a2 6d 47 92 f9  46 25 02 ce 62 7a cf 0b   K1..mG..F%..bz..  
  0120:  93 38 00 37 7f 2f                                  .8.7./            
TLS trace: SSL_accept:before SSL initialization
tls_write: want=7, written=7
  0000:  15 03 03 00 02 02 28                               ......(          
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in error
TLS: can't accept: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher.
5fa072c7 connection_read(11): TLS accept failure error=-1 id=1000, closing

I've tried various combinations of TLSProtocolMin (3.3, 3.2, and not specifying at all) and the result is the same.
I tried specifiying the ciphers currently supported by openssl in TLSCipherSuite, same erros.

Running some outside utilities give the same information.
nmap: no ciphers returned for the rhel8 system:
 nmap --script  ssl-enum-ciphers -p 636 dev-pnldap1.net.isc.upenn.edu -Pn

Starting Nmap 5.51 ( http://nmap.org ) at 2020-11-02 16:25 EST
Nmap scan report for dev-pnldap1.net.isc.upenn.edu (130.91.185.254)
Host is up (0.0014s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl

Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
  rhel6 system:
$ nmap --script  ssl-enum-ciphers -p 636 dev-pnldap2.net.isc.upenn.edu -Pn

Starting Nmap 5.51 ( http://nmap.org ) at 2020-11-02 16:25 EST
Nmap scan report for dev-pnldap2.net.isc.upenn.edu (130.91.185.136)
Host is up (0.0019s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
|     Ciphers (14)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA256
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA256
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|     Compressors (1)
|_      uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

Thanks in advance for any suggestions or corrections.

Peter