Re: (ITS#9115) It seems like the parameters about tlsCipherSuite not work

[quanah]

--On Wednesday, November 6, 2019 8:14 AM + bjm...@cn.ibm.com wrote:

> Full_Name: nancy.mo
> Version: 2.4.46
> OS: redhat7
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (129.42.208.182)

Hello,

The ITS system is for bug reports, not help requests.  Please redirect your 
question to the openldap-technical list for further assistance.



Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

(ITS#9115) It seems like the parameters about tlsCipherSuite not work

[bjmoya]

Full_Name: nancy.mo
Version: 2.4.46
OS: redhat7
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (129.42.208.182)


Hi, 
I set the parameter about cipher suite in client(ldap.conf) and server
(slapd.conf) and restart the service, the tcp/ip log, find the cipher not
changed.
In ldap.conf:
TLS_CIPHER_SUITE ALL:!TLSv1.3

In slapd.conf:
TLSCipherSuite !TLSv1.3

openssl provide those cipher suites:
[root@ ~]# openssl ciphers -v 'TLSv1.3'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any  Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any  Au=any 
Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any  Au=any  Enc=AESGCM(128) Mac=AEAD

when openldap worked as a client, it send 4 cipher suites to server in TLS1.3
client hello.
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)

When openldap worked as a server, it used TLS_AES_256_GCM_SHA384 to connect in
TLS server hello.

And when i set one specific cipher in client, 
TLS_CIPHER_SUITE TLS_CHACHA20_POLY1305_SHA256

It also send same four suites in client hello.

Could you help me to have a look? thanks.