On 5/5/21 2:51 AM, Howard Chu wrote:
> Michael Ströder wrote:
>> I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release
>> 2.5.4 when connecting to an 2.4 provider:
>>
>> TLS: can't connect: error:141A90B5:SSL
>> routines:ssl_cipher_list_to_bytes:no ciphers available.
>>
>> An 2.4.58 consumer replica works just fine.
>>
>> There is this commit in RE25 and I'm not sure whether that introduces a
>> regression on my system:
>>
>> b72bce2400ce303766f355a1dd37f4012754c942
>> ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1
>>
>> BTW: openSUSE has implemented something like a crypto policy configuration:
>>
>> https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openssl-1.1.1-system-cipherlist.patch?expand=1
>>
>> Any clue what's going on?
> 
> What ciphers have you configured on your client and server? What versions of 
> OpenSSL are running on each?

TL;DR: If I comment TLSCipherSuite in the 2.5.4 slapd.conf everything works.

It fails when setting this in slapd provider (2.4.58) *and* consumer
(2.5.4):

TLSProtocolMin 3.3
TLSCipherSuite HIGH

BTW: I didn't know that these server-side settings also affect the
syncrepl-client config.

This works when connecting with 2.5.4 CLI tools to 2.4.58 server:

LDAPNOINIT=1 LDAPTLS_PROTOCOL_MIN=3.3 LDAPTLS_CIPHER_SUITE=HIGH
/opt/openldap-ms/bin/ldapwhoami ..

But connecting even only with openssl s_client to 2.5.4 server does not
work with the above TLSCipherSuite settings.

All systems have OpenSSL 1.1.1k. The symlink
/etc/crypto-policies/back-ends/openssl.config points to
/usr/share/crypto-policies/DEFAULT/openssl.txt which has this single line:

@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

Not sure what is really affected by this file.

You can see how RPMs are built in OBS:

https://build.opensuse.org/package/show/security:tls/openssl-1_1

https://build.opensuse.org/package/show/home:stroeder:openldap25/openldap-ms

Ciao, Michael.

Reply via email to