Univention Bugzilla – Bug 45870
New slapd with GNUTLS doesn't start with OpenSSL "TLSCipherSuite" string
Last modified: 2018-03-14 14:37:53 CET
Created attachment 9318 [details] gnutls-TLSCipherSuite.patch Since UCS 4.3 slapd is built against GNUTLS instead of OpenSSL, it doesn't start with the OpenSSL "TLSCipherSuite" string that is currently set in the slapd.conf template. Maybe this helps: http://backreference.org/2009/11/18/openssl-vs-gnutls-cipher-names/
Ok, after quite a bit of experimenting and matching cipher-IDs between our current default for OpenSSL: ========================================================================== OPENSSL_CIPHER_PRIORITY='HIGH:MEDIUM:!aNULL:!MD5:!RC4' openssl ciphers -V "$OPENSSL_CIPHER_PRIORITY" ========================================================================== and the corresponding output of gnutls-cli --list I found that the following expression returns the same cipher list as in openssl: ========================================================================== GNUTLS_CIPHER_PRIORITY='NORMAL:-SHA1:+PSK:+ECDHE-PSK:+DHE-PSK:+DHE-DSS:+DHE-PSK:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-3DES-CBC:+AES-128-CCM-8:+AES-256-CCM-8:+RSA-PSK:+SRP:+SRP-DSS:+SRP-RSA:+SHA1' ## sort SHA1 to the back gnutls-cli --list --priority="$GNUTLS_CIPHER_PRIORITY" ========================================================================== But the sort order of the cipher priorities still differs "slightly".
OpenLDAP is built against OpenSSL again.
Might this fix also Bug #45882?
I imorted and build OpenLDAP 2.4.45 instead, see Bug 44834 Comment 1.
OK
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".