You wrote:
> Please feel free to retitle; I don't know if this is a
> documentation problem or a feature problem.
It is a feature problem.
> I'm trying my absolute hardest to get libldap to talk
> ssl to ldaps://directory.umd.edu:636/ and haven't figured
> it out.
The server is buggy and refuses to talk with clients that
1) Mentions support for TLS 1.1,
OR
2) Tries to negotiate any extensions.
OpenSSL does not support TLS 1.1 (I think?), but you can reproduce 2)
with OpenSSL by adding a servername:
j...@mocca:~$ openssl s_client -connect directory.umd.edu:636 -servername foo
CONNECTED(00000003)
19698:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
j...@mocca:~$
To talk with your server using GnuTLS, you will have to
1) Disable TLS 1.1
2) Disable OpenPGP (it sends an extension)
3) Disable server name extension
For example:
j...@mocca:~$ gnutls-cli -p 636 directory.umd.edu --priority
'NORMAL:!VERS-TLS1.1:-CTYPE-OPENPGP' --disable-extensions
> However, after putting that string into TLS_CIPHER_SUITE
Your mistake is that you assume that OpenLDAP passes the
TLS_CIPHER_SUITE string to GnuTLS' priority string functions. Alas, it
doesn't. Thus, your problem is a feature request really, for OpenLDAP
to support GnuTLS priority strings.
You could experiment with a patch like this to see if you manage to
connect to the server:
--- tls.c.orig 2009-01-14 14:54:33.000000000 +0100
+++ tls.c 2009-01-14 14:56:55.000000000 +0100
@@ -255,6 +255,9 @@
gnutls_cipher_set_priority( session->session, ctx->cipher_list
);
gnutls_mac_set_priority( session->session, ctx->mac_list );
}
+
+ gnutls_priority_set_direct( session->session,
"NORMAL:!VERS-TLS1.1:-CTYPE-OPENPGP", NULL);
+
if ( ctx->cred )
gnutls_credentials_set( session->session,
GNUTLS_CRD_CERTIFICATE, ctx->cred );
A proper fix requires co-ordination with the OpenLDAP people. Either
they 1) remove all strange code for parsing ciphers for GnuTLS and only
use gnutls_priority_set_direct on the TLS_CIPHER_SUITE string, or 2)
they introduce a new configuration keyword TLS_PRIORITY that is is sent
to GnuTLS's priority functions. Given that TLS_CIPHER_SUITE accepts
OpenSSL strings like 'HIGH:+SSLv2' I believe that matches GnuTLS
priority strings, so I would recommend 1). And improve the
documentation to point at, e.g., gnutls_priority_init(3) or the GnuTLS
manual in the OpenLDAP documentation.
/Simon
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
