Bug#499798: libnss-ldap: Setting the TLS cipher suite no longer works

Mon, 22 Sep 2008 06:59:02 -0700 

Package: libnss-ldap
Version: 261-2
Severity: normal


Hi,

After upgrading some systems from etch to lenny we've found that
libnss-ldap has trouble connecting to the directory server. The problem
turned out to be the following line we had in libnss-ldap.conf:

        tls_ciphers TLSv1

This is the end of output with "debug 65535":

ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x9766c70 ptr=0x9766c73 end=0x9766c88 len=21
  0000:  78 13 0a 01 00 04 00 04  0c 53 74 61 72 74 20 54   x........Start T  
  0010:  4c 53 20 4f 6b                                     LS Ok             
ber_scanf fmt (}) ber:
ber_dump: buf=0x9766c70 ptr=0x9766c88 end=0x9766c88 len=0

ldap_msgfree
TLS: could not set cipher list TLSv1.
ldap_unbind
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
  0000:  30 05 02 01 02 42 00                               0....B.           
ldap_write: want=7, written=7
  0000:  30 05 02 01 02 42 00                               0....B.           
ldap_free_connection: actually freed
ldap_err2string

The command "openssl ciphers TLSv1" produces the expected cipher list,
so OpenSSL still knows about this cipher suite specification. The bug
may be in libldap, but ldapsearch does not have an option to set the
cipher list like libnss-ldap so I can not easily test that.

Gabor

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (101, 
'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.27-rc5 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnss-ldap depends on:
ii  debconf [debconf-2.0] 1.5.23             Debian configuration management sy
ii  libc6                 2.7-13             GNU C Library: Shared libraries
ii  libcomerr2            1.41.1-3           common error description library
ii  libkrb53              1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii  libldap-2.4-2         2.4.10-3           OpenLDAP libraries
ii  libsasl2-2            2.1.22.dfsg1-23    Cyrus SASL - authentication abstra

Versions of packages libnss-ldap recommends:
ii  libpam-ldap                   184-4.1    Pluggable Authentication Module al
ii  nscd                          2.7-13     GNU C Library: Name Service Cache 

libnss-ldap suggests no packages.

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to