I also tried debug it a little. Dumping the network connection I noticed that if start_tls used from Net::Ldap, the Client Hello packet cipher suit list does not contain anything with SHA2 MD, only SHA1. # gnutls-cli --priority SECURE256 -l command doesn't list anything with sha1. After receiving the Client Hello, slapd sends back FIN ACK and logs: TLS: can't accept: Could not negotiate a supported cipher suite.. 5546abc3 connection_read(16): TLS accept failure error=-1 id=1001, closing
When connecting from Net::LDAPS over TLS (636) the Client Hello's cipher suit list contains lot more entries and use 'Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)' Attaching the two pcap files. This is more likely the libnet-ldap-perl's or the ssl library's problem that the perl module uses. Dancsa On 05/04/2015 12:17 AM, Christian wrote: > On Sun, 3 May 2015 15:05:48 -0700 Ryan Tandy <r...@nardis.ca> wrote: >> Control: tag -1 confirmed >> >> On Sun, May 03, 2015 at 11:39:05PM +0200, Christian Ospelkaus wrote: >>> The perl module Net::LDAP in jessie fails to talk to an slapd on jessie >>> using >>> start_tls. Net::LDAP in jessie can, however, talk to an slapd running on >>> wheezy. >> >> Thanks for the report. I confirm that behaviour and will take a closer >> look as soon as I can. It looks like it does work if I don't set >> olcTLSCipherSuite at all, so I wonder if the SECURE256 setting simply >> has no ciphers in common with Net::LDAP's defaults? > > Thanks for the quick reply. Sorry I filed the report using a local email > address. Please use chanli...@googlemail.com > > From the libnet-ldap-perl documentation: > > Net::LDAPS will by default use all the algorithms built into your copy > of OpenSSL, except for ones considered to use "low" strength > encryption, and those using export strength encryption. You can > override this when you create the Net::LDAPS object using the > 'ciphers' option. > > I briefly looked at it, but I could not see how it would select specific > ciphers. Thanks, > > Christian >
ldap-startls.pcap
Description: application/vnd.tcpdump.pcap
ldap-tls.pcap
Description: application/vnd.tcpdump.pcap