Re: ssl_cipher_list_to_bytes:no ciphers available
Michael Ströder wrote: > HI! > > I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release > 2.5.4 when connecting to an 2.4 provider: > > TLS: can't connect: error:141A90B5:SSL > routines:ssl_cipher_list_to_bytes:no ciphers available. > > An 2.4.58 consumer replica works just fine. > > There is this commit in RE25 and I'm not sure whether that introduces a > regression on my system: > > b72bce2400ce303766f355a1dd37f4012754c942 > ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1 > > BTW: openSUSE has implemented something like a crypto policy configuration: > > https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openssl-1.1.1-system-cipherlist.patch?expand=1 > > Any clue what's going on? What ciphers have you configured on your client and server? What versions of OpenSSL are running on each? > > Ciao, Michael. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
ssl_cipher_list_to_bytes:no ciphers available
HI! I have issues with OpenSSL ciphers on my openSUSE Tumbleweed and release 2.5.4 when connecting to an 2.4 provider: TLS: can't connect: error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available. An 2.4.58 consumer replica works just fine. There is this commit in RE25 and I'm not sure whether that introduces a regression on my system: b72bce2400ce303766f355a1dd37f4012754c942 ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1 BTW: openSUSE has implemented something like a crypto policy configuration: https://build.opensuse.org/package/view_file/security:tls/openssl-1_1/openssl-1.1.1-system-cipherlist.patch?expand=1 Any clue what's going on? Ciao, Michael.
Re: slapo-ppolicy 2.4 vs. 2.5
On Tue, May 04, 2021 at 12:07:20PM +0200, Michael Ströder wrote: > Still I have failures in my draft-vchu-ldap-pwd-policy tests (see > below). These might be related to ITS#9279, though I'm not sure. Any > changes in this area? Don't know, my guess is compare it with tests/scripts/test022-ppolicy to see what the difference is between it and what you're doing. Don't think this applies here, but a lot of ppolicy behaviour changes based on whether you're classed as a "password administrator" (having "manage" access to the password attribute on the entry), see ITS#7084 and the ppolicy draft. It it makes a difference, it's possible that some of this is interfering, or that it's intentional, will probably have to decide on a case by case basis. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
Re: slapo-ppolicy 2.4 vs. 2.5
On 5/4/21 9:47 AM, Ondřej Kuzník wrote: > On Sat, May 01, 2021 at 05:31:44PM +0200, Michael Ströder wrote: >> slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in >> python-ldap0 tests (see test output below). >> [..] >> AssertionError: 'Password expired! 1 grace logins left.' != 'Password >> expired! 2 grace logins left.' > > Does the count reported match the wording of the draft in section 6.2? > [..] > If not, please reopen ITS#7596 with a test case. Thanks for pointing out ITS#7596. I've now updated my test to match the new behaviour when running on OpenLDAP 2.5. Still I have failures in my draft-vchu-ldap-pwd-policy tests (see below). These might be related to ITS#9279, though I'm not sure. Any changes in this area? Ciao, Michael. == FAIL: test001_pwdpolicy_expiration (tests.test_ppolicy.TestPwdPolicy) -- Traceback (most recent call last): File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py", line 287, in test001_pwdpolicy_expiration self.assertIsInstance(bind_res.ctrls[0], PasswordExpiringControl) AssertionError: is not an instance of == FAIL: test002_pwdpolicy_expired (tests.test_ppolicy.TestPwdPolicy) -- Traceback (most recent call last): File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py", line 308, in test002_pwdpolicy_expired l.simple_bind_s(self.user_dn, user_password.encode('utf-8')) AssertionError: INVALID_CREDENTIALS not raised
Re: slapo-ppolicy 2.4 vs. 2.5
On Sat, May 01, 2021 at 05:31:44PM +0200, Michael Ströder wrote: > HI! > > slapo-ppolicy in OpenLDAP 2.5 shows slightly different behaviour in > python-ldap0 tests (see test output below). > > Tests: > https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py > > When working with Ondřej for solving ITS#9279 I finally "fixed" ldap0 > tests to accomodate the behaviour of OpenLDAP 2.4.x. I did not feel > comfortable back then because it was not clear to me whether it was the > correct fix. > > Do you have any tests you could run against 2.4 and 2.5 to verify > whether both have same behaviour? > > Ciao, Michael. > > == > FAIL: test003_ppolicy_grace_logins (tests.test_ppolicy.TestPPolicy) > -- > Traceback (most recent call last): > File "/home/michael/Proj/ae-dir/python-ldap0/tests/test_ppolicy.py", > line 235, in test003_ppolicy_grace_logins > self.assertEqual( > AssertionError: 'Password expired! 1 grace logins left.' != 'Password > expired! 2 grace logins left.' > - Password expired! 1 grace logins left. > ? ^ > + Password expired! 2 grace logins left. > ? ^ Does the count reported match the wording of the draft in section 6.2? """ The graceAuthNsRemaining warning specifies the remaining number of times a user will be allowed to authenticate with an expired password. """ If not, please reopen ITS#7596 with a test case. Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP