reassign 784179 libnet-ldap-perl thanks Reassigning to libnet-ldap-perl because the problem doesn't have anything to do with slapd if i'm correct.
You can get the Net::LDAP to connect with startSSL if you specify the sslversion as TLS1.2 ie. $ldap->start_tls('sslversion'=>'TLSv1_2' ); LDAP.pm:1103 restricts the TLS version to 1.0 unless otherwise specified. This restriction doesn't apply if you connect over LDAPS, if you don't specify the sslversion there, the IO::Socket::SSL default 'SSLv23:!SSLv3:!SSLv2' is used, so TLSv1_2 enabled too. Dancsa On 05/04/2015 01:39 AM, GALAMBOS Daniel wrote: > I also tried debug it a little. > > Dumping the network connection I noticed that if start_tls used from > Net::Ldap, the Client Hello packet cipher suit list does not contain > anything with SHA2 MD, only SHA1. > # gnutls-cli --priority SECURE256 -l command doesn't list anything with > sha1. After receiving the Client Hello, slapd sends back FIN ACK and logs: > TLS: can't accept: Could not negotiate a supported cipher suite.. > 5546abc3 connection_read(16): TLS accept failure error=-1 id=1001, closing > > When connecting from Net::LDAPS over TLS (636) the Client Hello's cipher > suit list contains lot more entries and use 'Cipher Suite: > TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)' > > Attaching the two pcap files. > > This is more likely the libnet-ldap-perl's or the ssl library's problem > that the perl module uses. > > Dancsa > > On 05/04/2015 12:17 AM, Christian wrote: >> On Sun, 3 May 2015 15:05:48 -0700 Ryan Tandy <r...@nardis.ca> wrote: >>> Control: tag -1 confirmed >>> >>> On Sun, May 03, 2015 at 11:39:05PM +0200, Christian Ospelkaus wrote: >>>> The perl module Net::LDAP in jessie fails to talk to an slapd on jessie >>>> using >>>> start_tls. Net::LDAP in jessie can, however, talk to an slapd running on >>>> wheezy. >>> >>> Thanks for the report. I confirm that behaviour and will take a closer >>> look as soon as I can. It looks like it does work if I don't set >>> olcTLSCipherSuite at all, so I wonder if the SECURE256 setting simply >>> has no ciphers in common with Net::LDAP's defaults? >> >> Thanks for the quick reply. Sorry I filed the report using a local email >> address. Please use chanli...@googlemail.com >> >> From the libnet-ldap-perl documentation: >> >> Net::LDAPS will by default use all the algorithms built into your copy >> of OpenSSL, except for ones considered to use "low" strength >> encryption, and those using export strength encryption. You can >> override this when you create the Net::LDAPS object using the >> 'ciphers' option. >> >> I briefly looked at it, but I could not see how it would select specific >> ciphers. Thanks, >> >> Christian >> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org