Hello,
thanks very much for your hints. Unfortunately, I couldn't solve the
problem so far ...
What I've tried:
- create /etc/gnutls/config with content:
[overrides]
default-priority-string = NORMAL:+CAMELLIA-256-GCM:+CAMELLIA-256-CBC
- set and export GNUTLS_SYSTEM_PRIORITY_FILE=/etc/gnutls/config and
start slapd directly from this shell
- setting various strings for TLSCipherSuite in slapd.conf (e.g. the
string mentioned above)
Nothing helps ... Still Camellia is not offered by slapd.
Does OpenLDAP use a different GnuTLS priority file than
/etc/gnutls/config? Does OpenLDAP (or the libgnutls used by OpenLDAP)
use the priority file at all?
I've found in the code (./libraries/libldap/tls_g.c, line 110 (OpenLDAP
2.5.13):
gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
Does this mean that OpenLDAP always uses NORMAL independent on priority
file?
(This could explain the behaviour - if "NORMAL" on Debian 11 is
restricted than you get less cipher suites than on Debian 10 and before.)
Regards
Jochen.
Am 01.08.2022 um 19:11 schrieb A. Schulze:
Am 01.08.22 um 16:30 schrieb Quanah Gibson-Mount:
As far as I'm aware, both Debian and Ubuntu continue to link OpenLDAP
to GnuTLS, so pointing out how openssl behaves probably doesn't help
them progress much. I'm guessing though that similar changes were
done to the GnuTLS defaults.
right!
As Quanah mentioned, OpenLDAP on Debian uses GnuTLS. see
https://packages.debian.org/bullseye/libldap-2.4-2
So, sorry for my noise about OpenSSL...
Andreas
