Bug 45870 – New slapd with GNUTLS doesn't start with OpenSSL "TLSCipherSuite" string

Bug 45870 - New slapd with GNUTLS doesn't start with OpenSSL "TLSCipherSuite" string


Summary:	New slapd with GNUTLS doesn't start with OpenSSL "TLSCipherSuite" string

Status:	CLOSED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:	https://etherpad-lite.knut.univention...
Keywords:	interim-1

Depends on:	45709
Blocks:
	Show dependency tree / graph

Reported:	2017-12-13 13:10 CET by Arvid Requate
Modified:	2018-03-14 14:37 CET (History)
CC List:	3 users (show)

See Also:	45882 44834
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
gnutls-TLSCipherSuite.patch (956 bytes, patch) 2017-12-13 13:10 CET, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-12-13 13:10:38 CET

Created attachment 9318 [details]
gnutls-TLSCipherSuite.patch

Since UCS 4.3 slapd is built against GNUTLS instead of OpenSSL, it doesn't start with the OpenSSL "TLSCipherSuite" string that is currently set in the slapd.conf template.

Maybe this helps:
http://backreference.org/2009/11/18/openssl-vs-gnutls-cipher-names/

Comment 1 Arvid Requate

2017-12-13 15:28:03 CET

Ok, after quite a bit of experimenting and matching cipher-IDs between our current default for OpenSSL:

==========================================================================
OPENSSL_CIPHER_PRIORITY='HIGH:MEDIUM:!aNULL:!MD5:!RC4'

openssl ciphers -V "$OPENSSL_CIPHER_PRIORITY"
==========================================================================

and the corresponding output of gnutls-cli --list I found that the following expression returns the same cipher list as in openssl:

==========================================================================
GNUTLS_CIPHER_PRIORITY='NORMAL:-SHA1:+PSK:+ECDHE-PSK:+DHE-PSK:+DHE-DSS:+DHE-PSK:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM:-3DES-CBC:+AES-128-CCM-8:+AES-256-CCM-8:+RSA-PSK:+SRP:+SRP-DSS:+SRP-RSA:+SHA1'  ## sort SHA1 to the back

gnutls-cli --list --priority="$GNUTLS_CIPHER_PRIORITY"
==========================================================================

But the sort order of the cipher priorities still differs "slightly".

Comment 2 Arvid Requate

2017-12-18 11:36:13 CET

OpenLDAP is built against OpenSSL again.

Comment 3 Florian Best

2017-12-18 11:41:36 CET

Might this fix also Bug #45882?

Comment 4 Arvid Requate

2017-12-20 16:39:19 CET

I imorted and build OpenLDAP 2.4.45 instead, see Bug 44834 Comment 1.

Comment 5 Felix Botner

2017-12-21 16:11:03 CET

OK

Comment 6 Stefan Gohmann

2018-03-14 14:37:53 CET

UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".