On Sat, Jul 30, 2022 at 2:47 PM Jochen Keutel <mlists(a)keutel.de> wrote:
we installed the standard OpenLDAP package on Debian 11. Checking the
TLS ciphers offered by the server we could see that all six Camellia
ciphers are gone (128 and 256, for TLS 1.0, 1.1, 1.2) compared with the
standard OpenLDAP package on Debian 9.
Is this special to the Debian package? Or: Has Gnutls changed something?
We did run into this issue because some special devices (e.G. Cisco
Prime Collaboration Assurance) cannot connect to the new OpenLDAP
server. The server logfile states: TLS handshake: negotiation failure.
It's not yet clear whether they really can "speak" only Camellia ...
They may be removed due to lack of support for RFC 6367. I _think_
that may be the case for TLS 1.3. If I am not mistaken, TLS 1.3
removed lesser used cipher suites, like ARIA, Camellia and IDEA. Cf.,
. And according to IANA, AEAD ciphers are not defined for Camellia.
Try running `gnutls-cli -l` or `gnutls-cli-debug <host>` and see what