Thanks for the pointers (I have no idea why I failed to find the gnutls26 bug yesterday when I looked)
bug 1533230 comment #12 (https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1534230/comments/12) seems to be the same problem as I'm having. Using the command: gnutls-cli -p 636 ldaphost.domain.com --priority 'SECURE256:+SIGN-RSA- SHA224:+SIGN-DSA-SHA224' works but gnutls-cli -p 636 ldaphost.domain.com --priority 'SECURE256' does not work and gives an error of *** Fatal error: The signature algorithm is not supported. *** Handshake has failed GnuTLS error: The signature algorithm is not supported. Our slapd.conf file contained a TLSCipherSuite SECURE256:-VERS-SSL3.0 which I think explains where syncrepl fails but ldapsearch still works as it will use a SECURE128 cipher I don't understand why I now need to add specific signature algorithms to list now though? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1537762 Title: syncrepl does not work when using tls Status in openldap package in Ubuntu: Incomplete Bug description: syncrepl gives a "slap_client_connect: URI=ldap://ldaphost.domain.com Error, ldap_start_tls failed (-11)" error syncrepl was working perfectly until I upgraded libgnutls26 from version 2.12.14-5ubuntu3.10 to version 2.12.14-5ubuntu3.11 This new version of gnutls just seems to only have a simple fix for CVE-2015-7575 ldapsearch works perfectly happily with the new version of gnutls and our SSL certificate. My syncrepl config looks like this: syncrepl rid=222 provider=ldap://ldaphost.domain.com starttls=critical type=refreshAndPersist retry=60,+ searchbase="dc=ccc,dc=sssssss,dc=aa,dc=uu" scope=sub schemachecking=off bindmethod=simple binddn="cn=uuuuuu,dc=ccc,dc=sssss,dc=aa,dc=uu" credentials=XXXXXXXX ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: slapd 2.4.28-1.1ubuntu4.6 ProcVersionSignature: Ubuntu 3.2.0-97.137-generic 3.2.73 Uname: Linux 3.2.0-97-generic x86_64 ApportVersion: 2.0.1-0ubuntu17.13 Architecture: amd64 Date: Mon Jan 25 13:33:26 2016 InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1) MarkForUpload: True SourcePackage: openldap UpgradeStatus: No upgrade log present (probably fresh install) mtime.conffile..etc.default.slapd: 2012-10-02T10:07:38 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
