[Pkg-openldap-devel] Bug#541256: Bug#541256: Bug#541256: TLS: could not set cipher list TLS_RSA_AES_256_CBC_SHA1
Quanah Gibson-Mount
quanah at zimbra.com
Thu Aug 13 00:19:15 UTC 2009
--On Thursday, August 13, 2009 2:12 AM +0200 Vedran Furač
<vedranf at vedranf.mine.nu> wrote:
>> Please see the upstream comments. The issue is broken behavior on
>> GnuTLS' part.
>
> Ah... I see. Thanks for forwarding it! Anyway, I tried his suggestion
> and changed slapd.conf on server side and libnss/pam_ldap.conf/ldap.conf
> on client to have:
>
> TLSCipherSuite +AES-256-CBC:+SHA1
>
> Now slapd starts, but connection (e.g. getent passwd) to it fails with:
>
> TLS: can't connect: No supported cipher suites have been found..
>
> And ldapsearch -ZZ:
>
> TLS: can't connect: A TLS packet with unexpected length was received.
Sadly, this is likely yet another case of broken behavior on GnuTLS' part,
of which there are growing numbers, like
<http://www.openldap.org/its/index.cgi/?findid=6252>. I'd recommend
building your own openldap server and clients using OpenSSL, which is known
to actually work.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
More information about the Pkg-openldap-devel
mailing list