On Monday 05 November 2018 17:02:50 Joel Carnat wrote: > Le 05/11/2018 16:38, Stuart Henderson a écrit : > > On 2018-11-05, Joel Carnat <[email protected]> wrote: > >> Le 05/11/2018 13:48, Stuart Henderson a écrit : > >>> On 2018-11-05, Joel Carnat <[email protected]> wrote: > >>>> TLS: > >>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
AES256-GCM-SHA384 is not in: > # openssl ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA > 20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-EC > DSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DH > E-RSA-AES128-GCM-SHA256 > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128- > GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-A > ES128-GCM-SHA256 Since it is not an ephemeral cipher suite (and presumably the server does not support any DHE or ECDHE cipher suites). As Stuart mentioned earlier, you'd need to relax the cipher suite list used by ldap(1) to be at least "compat" (or specifically include this cipher suite).
