[Pkg-openldap-devel] Bug#510346: new TLS_CIPHER_SUITE underdocumented

Wed Dec 31 18:11:26 UTC 2008

Package: libldap-2.4-2
Version: 2.4.11-1
Severity: normal

Please feel free to retitle; I don't know if this is a
documentation problem or a feature problem.

I'm trying my absolute hardest to get libldap to talk
ssl to ldaps://directory.umd.edu:636/ and haven't figured
it out.  I believe my inability to get it to work is just
documentation, but it works in old ldap (2.3.30-5+etch1)
presumably because openssl negotiates differently.

The problem I'm trying to solve:

% openssl s_client -connect directory.umd.edu:636

works.  (and thus, old libldap works fine, because openssl
can negotiate with the server.)

% gnutls-cli-debug -p 636 directory.umd.edu

works, and describes many features that the server doesn't
support.  e.g., TLS1.1 support.

% gnutls-cli -p 636 directory.umd.edu

fails; wireshark shows gnutls sending a TLS1.1 client hello
and the server dropping the connection.

% gnutls-cli --protocols SSL3.0 -p 636 directory.umd.edu

works; oddly, TLS1.0 does not.

With that knowledge, I can then:

% gnutls-cli --priority 'NORMAL:\!VERS-TLS1.1:\!VERS-TLS1.0' -p 636  
directory.umd.edu

So I'm confident that even if there's a bug in gnutls ability
to negotiate with this server, there should be a way for
me to configure gnutls through ldap.conf.

However, after putting that string into TLS_CIPHER_SUITE
(without escaping the !'s)

% ldapsearch -d 12 -H ldaps://directory.umd.edu/ uid=nspring
ldap_build_search_req ATTRS: supportedSASLMechanisms
TLS: could not set cipher list NORMAL:!VERS-TLS1.1:!VERS-TLS1.0.
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

So that doesn't work; I then try setting TLS_CIPHER_SUITE
to TLS_DHE_RSA_3DES_EDE_CBC_SHA1 , which has alongside
it in gnutls-cli --list the note SSL3.0; unfortunately,
the client still sends a TLS1.1 client hello message that
the server does not care for.

What the heck am I doing wrong?

I'm certain that ldap.conf(5) must be updated in Debian
to no longer say:

        TLS_CIPHER_SUITE <cipher-suite-spec>
               Specifies  acceptable cipher suite and
               preference order.  <cipher-suite-spec> should
               be a cipher specification for OpenSSL,
               e.g., HIGH:MEDIUM:+SSLv2.

It would be cool if README.Debian had a small note about
this relatively debian-specific configuration. (which I'm
in favor of, don't get me wrong; that's just where I look
for help when I know there's a Debian-ism to deal with.)

After writing this up, I found #466477, which describes
a configuration TLSCipherSuite, which seems to be part of
slapd.conf, which I don't think I have, and asserts that
openldap "supports cipher priority strings", which it
doesn't appear to.   I checked upstream 2.4.13; it doesn't
appear to have anything better.

Listing the ciphers to support is not sufficient to get
gnutls to talk to servers like this one.

Thanks for your hard work.  I'd be happy to test a
pre-release if there's a patch for passing a priority
string to the gnutls library.  I could try to write one,
or better yet test one out, but I don't know that I
understand the problem enough to know someone else doesn't
have a different plan.

thanks,
-neil

-- System Information:
Debian Release: 5.0
   APT prefers testing
   APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                    2.7-16          GNU C Library: Shared  
libraries
ii  libgnutls26              2.4.2-4         the GNU TLS library -  
runtime libr
ii  libsasl2-2               2.1.22.dfsg1-23 Cyrus SASL -  
authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- no debconf information