--On Saturday, July 30, 2022 10:10 PM +0200 "A. Schulze" sca@andreasschulze.de wrote:
Am 30.07.22 um 20:46 schrieb Jochen Keutel:
We did run into this issue because some special devices (e.G. Cisco Prime Collaboration Assurance) cannot connect to the new OpenLDAP server. The server logfile states: TLS handshake: negotiation failure. It's not yet clear whether they really can "speak" only Camellia ...
it's called "openssl security level". Debian 11 defaults to seclevel=2, camellia cipher are available in the seclevel=1
$ grep PRETTY_NAME /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
$ openssl ciphers -v | grep -i camellia | wc -l 0
$ openssl ciphers -v 'ALL;@SECLEVEL=1' | grep -i camellia | wc -l 28
As far as I'm aware, both Debian and Ubuntu continue to link OpenLDAP to GnuTLS, so pointing out how openssl behaves probably doesn't help them progress much. I'm guessing though that similar changes were done to the GnuTLS defaults.
--Quanah