On Sat, Jul 30, 2022 at 2:47 PM Jochen Keutel <[email protected]> wrote: > > Hello, > we installed the standard OpenLDAP package on Debian 11. Checking the > TLS ciphers offered by the server we could see that all six Camellia > ciphers are gone (128 and 256, for TLS 1.0, 1.1, 1.2) compared with the > standard OpenLDAP package on Debian 9. > > Is this special to the Debian package? Or: Has Gnutls changed something? > > We did run into this issue because some special devices (e.G. Cisco > Prime Collaboration Assurance) cannot connect to the new OpenLDAP > server. The server logfile states: TLS handshake: negotiation failure. > It's not yet clear whether they really can "speak" only Camellia ...
They may be removed due to lack of support for RFC 6367. I _think_ that may be the case for TLS 1.3. If I am not mistaken, TLS 1.3 removed lesser used cipher suites, like ARIA, Camellia and IDEA. Cf., https://www.redhat.com/en/blog/transport-layer-security-version-13-red-hat-enterprise-linux-8 . And according to IANA, AEAD ciphers are not defined for Camellia. Cf., https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 . Try running `gnutls-cli -l` or `gnutls-cli-debug <host>` and see what is supported. Jeff
