On 5/5/21 2:51 AM, Howard Chu wrote: > Michael Ströder wrote: >> I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release >> 2.5.4 when connecting to an 2.4 provider: >> >> TLS: can't connect: error:141A90B5:SSL >> routines:ssl_cipher_list_to_bytes:no ciphers available. >> >> An 2.4.58 consumer replica works just fine. >> >> There is this commit in RE25 and I'm not sure whether that introduces a >> regression on my system: >> >> b72bce2400ce303766f355a1dd37f4012754c942 >> ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1 >> >> BTW: openSUSE has implemented something like a crypto policy configuration: >> >> https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openssl-1.1.1-system-cipherlist.patch?expand=1 >> >> Any clue what's going on? > > What ciphers have you configured on your client and server? What versions of > OpenSSL are running on each?
TL;DR: If I comment TLSCipherSuite in the 2.5.4 slapd.conf everything works. It fails when setting this in slapd provider (2.4.58) *and* consumer (2.5.4): TLSProtocolMin 3.3 TLSCipherSuite HIGH BTW: I didn't know that these server-side settings also affect the syncrepl-client config. This works when connecting with 2.5.4 CLI tools to 2.4.58 server: LDAPNOINIT=1 LDAPTLS_PROTOCOL_MIN=3.3 LDAPTLS_CIPHER_SUITE=HIGH /opt/openldap-ms/bin/ldapwhoami .. But connecting even only with openssl s_client to 2.5.4 server does not work with the above TLSCipherSuite settings. All systems have OpenSSL 1.1.1k. The symlink /etc/crypto-policies/back-ends/openssl.config points to /usr/share/crypto-policies/DEFAULT/openssl.txt which has this single line: @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Not sure what is really affected by this file. You can see how RPMs are built in OBS: https://build.opensuse.org/package/show/security:tls/openssl-1_1 https://build.opensuse.org/package/show/home:stroeder:openldap25/openldap-ms Ciao, Michael.