[Pkg-openldap-devel] Bug#510346: new TLS_CIPHER_SUITE underdocumented

Simon Josefsson simon at josefsson.org
Wed Jan 14 14:03:32 UTC 2009 

You wrote:

> Please feel free to retitle; I don't know if this is a
> documentation problem or a feature problem.

It is a feature problem.

> I'm trying my absolute hardest to get libldap to talk
> ssl to ldaps://directory.umd.edu:636/ and haven't figured
> it out.

The server is buggy and refuses to talk with clients that

1) Mentions support for TLS 1.1,
OR
2) Tries to negotiate any extensions.

OpenSSL does not support TLS 1.1 (I think?), but you can reproduce 2)
with OpenSSL by adding a servername:

jas at mocca:~$ openssl s_client -connect directory.umd.edu:636 -servername foo
CONNECTED(00000003)
19698:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
jas at mocca:~$ 

To talk with your server using GnuTLS, you will have to 

1) Disable TLS 1.1
2) Disable OpenPGP (it sends an extension)
3) Disable server name extension

For example:

jas at mocca:~$ gnutls-cli -p 636 directory.umd.edu --priority 'NORMAL:!VERS-TLS1.1:-CTYPE-OPENPGP' --disable-extensions

> However, after putting that string into TLS_CIPHER_SUITE

Your mistake is that you assume that OpenLDAP passes the
TLS_CIPHER_SUITE string to GnuTLS' priority string functions.  Alas, it
doesn't.  Thus, your problem is a feature request really, for OpenLDAP
to support GnuTLS priority strings.

You could experiment with a patch like this to see if you manage to
connect to the server:

--- tls.c.orig	2009-01-14 14:54:33.000000000 +0100
+++ tls.c	2009-01-14 14:56:55.000000000 +0100
@@ -255,6 +255,9 @@
 		gnutls_cipher_set_priority( session->session, ctx->cipher_list );
 		gnutls_mac_set_priority( session->session, ctx->mac_list );
 	}
+
+	gnutls_priority_set_direct( session->session, "NORMAL:!VERS-TLS1.1:-CTYPE-OPENPGP", NULL);
+
 	if ( ctx->cred )
 		gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, ctx->cred );
 	

A proper fix requires co-ordination with the OpenLDAP people.  Either
they 1) remove all strange code for parsing ciphers for GnuTLS and only
use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
they introduce a new configuration keyword TLS_PRIORITY that is is sent
to GnuTLS's priority functions.  Given that TLS_CIPHER_SUITE accepts
OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
priority strings, so I would recommend 1).  And improve the
documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
manual in the OpenLDAP documentation.

/Simon

More information about the Pkg-openldap-devel mailing list