Hi everyone

Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ?

See below why I ask :

I have used the following configuration in my slapd servers for quite a while without any problem :

olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt
olcTLSCertificateFile: /etc/openldap/cacerts/server.crt
olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key
olcTLSCipherSuite: HIGH
olcTLSVerifyClient: allow

See for example my configuration for syncrepl (see: tls_reqcert=demand) :

olcSyncrepl: {0}rid=411 provider=ldap://ldap1.example.fr bindmethod=sasl
  sizelimit=unlimited timeout=0 network-timeout=0 saslmech=external type
  =refreshAndPersist retry="5 +" starttls=yes tls_cacert=/etc/openldap/cacer
  ts/CA.crt tls_cert=/etc/openldap/cacerts/replicator.crt tls_key=/etc/openldap
  /cacerts/replicator.key scope=sub schemachecking=on keepalive=0:0:0 fil
  ter="(objectclass=*)" searchbase="dc=example,dc=fr" tls_reqcert=demand

-> I have used this for couple of years on my multimastered ldap servers, and until yesterday that worked perfectly : replication was working properly and clients talked with the servers using TLS without any problem.

But I since my certicates were too weak (see this : sha1, 512 bit) :

$ openssl x509 -text -in server.crt

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 13998752034197585248 (0xc2458ece791fbd60)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap@example.fr
        Validity
            Not Before: Dec 29 15:41:56 2011 GMT
            Not After : Jul 29 15:41:56 2021 GMT

        Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN=ldap1.example.fr/emailAddress=ldap@example.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)


I have renewed them using the same self signed authority to validate them, and of course using exactly the same subject. My new certificate look like this :

$ openssl x509 -text -in server.crt (see this : sha2, 4096 bit) :

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 10208063777793278590 (0x8daa53ebd7e6827e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap@example.fr
        Validity
            Not Before: Jul 22 15:24:50 2015 GMT
            Not After : Feb 19 15:24:50 2025 GMT

        Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN=ldap1.example.fr/emailAddress=ldap@example.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:

I installed my new certificate on ldap1 without changing the configuration, and restarting the server here is what I get  on ldap4 logs (loglevel = sync ) :

$ tail -f /var/log/ldap.log
...
Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11)
Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-2)
Jul 22 17:31:10 ldap4 slapd[53489]: do_syncrepl: rid=432 rc -2 retrying
Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect:
URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11)
Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6)
Jul 22 17:31:15 ldap4-mrs slapd[53489]: do_syncrepl: rid=432 rc -6 retrying

When reinstalling the previous certificates and restarting ldap1 the server I see this appearing in ldap4 logs :
...
Jul 22 17:31:20 ldap4-mrs slapd[53489]: do_syncrep2: rid=432 LDAP_RES_INTERMEDIATE - REFRESH_DELETE

Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ? Does openldap tls connections work with certificates sha 256 With RSA Encryption using a 4096 public key length ? May be I missed something ?

(note : I use openssl to manage my certificates)

Thanks for any help.

---
Olivier