Hello, thanks very much for your hints. Unfortunately, I couldn't solve the problem so far ... What I've tried:
- create /etc/gnutls/config with content:
[overrides] default-priority-string = NORMAL:+CAMELLIA-256-GCM:+CAMELLIA-256-CBC
- set and export GNUTLS_SYSTEM_PRIORITY_FILE=/etc/gnutls/config and start slapd directly from this shell
- setting various strings for TLSCipherSuite in slapd.conf (e.g. the string mentioned above)
Nothing helps ... Still Camellia is not offered by slapd.
Does OpenLDAP use a different GnuTLS priority file than /etc/gnutls/config? Does OpenLDAP (or the libgnutls used by OpenLDAP) use the priority file at all?
I've found in the code (./libraries/libldap/tls_g.c, line 110 (OpenLDAP 2.5.13):
gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
Does this mean that OpenLDAP always uses NORMAL independent on priority file? (This could explain the behaviour - if "NORMAL" on Debian 11 is restricted than you get less cipher suites than on Debian 10 and before.)
Regards Jochen.
Am 01.08.2022 um 19:11 schrieb A. Schulze:
Am 01.08.22 um 16:30 schrieb Quanah Gibson-Mount:
As far as I'm aware, both Debian and Ubuntu continue to link OpenLDAP to GnuTLS, so pointing out how openssl behaves probably doesn't help them progress much. I'm guessing though that similar changes were done to the GnuTLS defaults.
right! As Quanah mentioned, OpenLDAP on Debian uses GnuTLS. see https://packages.debian.org/bullseye/libldap-2.4-2 So, sorry for my noise about OpenSSL...
Andreas