On Sat, Jul 30, 2022 at 2:47 PM Jochen Keutel mlists@keutel.de wrote:
Hello, we installed the standard OpenLDAP package on Debian 11. Checking the TLS ciphers offered by the server we could see that all six Camellia ciphers are gone (128 and 256, for TLS 1.0, 1.1, 1.2) compared with the standard OpenLDAP package on Debian 9.
Is this special to the Debian package? Or: Has Gnutls changed something?
We did run into this issue because some special devices (e.G. Cisco Prime Collaboration Assurance) cannot connect to the new OpenLDAP server. The server logfile states: TLS handshake: negotiation failure. It's not yet clear whether they really can "speak" only Camellia ...
They may be removed due to lack of support for RFC 6367. I _think_ that may be the case for TLS 1.3. If I am not mistaken, TLS 1.3 removed lesser used cipher suites, like ARIA, Camellia and IDEA. Cf., https://www.redhat.com/en/blog/transport-layer-security-version-13-red-hat-e... . And according to IANA, AEAD ciphers are not defined for Camellia. Cf., https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-par... .
Try running `gnutls-cli -l` or `gnutls-cli-debug <host>` and see what is supported.
Jeff