Hi Finally found the explanation :-)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921 gnutls on wheezy don't support SHA512 certificates. The workaround is to disable the TLS1.2 cipher : TLSCipherSuite NORMAL:-VERS-SSL3.0:-VERS-TLS1.2 Regards Norbert Le 17/03/2017 à 10:23, Norbert Gomes a écrit : > Hi > > I need to change my certificate on a Openldap server (Debian Wheezy with > the latest updates (slapd-2.4.31-2+deb7u2) but I'm facing a strange > problem using ldaps protocol : > > With the old certificate, I can use TLS 1.2 Cipher, but with the new > one, the TLS 1.2 is not possible > > I use this nmap command to see what ciphers are proposed : > nmap --script ssl-enum-ciphers -p 636 <fqdn> > > > When using the command with the old certificate, the following cipher > appears (with also a TLSv1.1 cipher) : > > | TLSv1.2: > | ciphers: > | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A > | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A > | compressors: > | NULL > | cipher preference: client > > > But when doing the same command, on the same server, with only the > certificate files modified, I do not have the TLSv1.2 cipher. And no > other configuration change is made on the slapd.conf file. > > > The certificates doesn't contain the cipher instructions, so I don't > understand why I have this behavior. > Any ideas ? > > Regards > > Norbert Gomes >
