touch-packages team mailing list archive

Thread
Date

[Bug 1537762] Re: syncrepl does not work when using tls

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Ian Gordon <ian.gordon@xxxxxxxxxxxx>
Date: Tue, 26 Jan 2016 10:14:57 -0000
Reply-to: Bug 1537762 <1537762@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks for the pointers (I have no idea why I failed to find the gnutls26 bug yesterday when I looked)

bug 1533230 comment #12
(https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1534230/comments/12)
seems to be the same problem as I'm having.

Using the command:

gnutls-cli -p 636 ldaphost.domain.com --priority 'SECURE256:+SIGN-RSA-
SHA224:+SIGN-DSA-SHA224'

works but

gnutls-cli -p 636 ldaphost.domain.com  --priority 'SECURE256'

does not work and gives an error of

*** Fatal error: The signature algorithm is not supported.
*** Handshake has failed
GnuTLS error: The signature algorithm is not supported.

Our slapd.conf file  contained a

TLSCipherSuite SECURE256:-VERS-SSL3.0

which I think explains where syncrepl fails but ldapsearch still works
as it will use a SECURE128 cipher

I don't understand why I now need to add specific signature algorithms
to list now  though?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1537762

Title:
  syncrepl does not work when using tls

Status in openldap package in Ubuntu:
  Incomplete

Bug description:
  
  syncrepl gives a "slap_client_connect: URI=ldap://ldaphost.domain.com Error, ldap_start_tls failed (-11)" error

  syncrepl was working perfectly until I upgraded libgnutls26 from

  version 2.12.14-5ubuntu3.10

  to

  version 2.12.14-5ubuntu3.11

  This new version of gnutls just seems to only have a simple fix for
  CVE-2015-7575

  ldapsearch works perfectly happily with the new version of gnutls and
  our SSL certificate.

  My syncrepl config looks like this:

  syncrepl        rid=222
                  provider=ldap://ldaphost.domain.com
                  starttls=critical
                  type=refreshAndPersist
                  retry=60,+
                  searchbase="dc=ccc,dc=sssssss,dc=aa,dc=uu"
                  scope=sub
                  schemachecking=off
                  bindmethod=simple
                  binddn="cn=uuuuuu,dc=ccc,dc=sssss,dc=aa,dc=uu"
                  credentials=XXXXXXXX

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: slapd 2.4.28-1.1ubuntu4.6
  ProcVersionSignature: Ubuntu 3.2.0-97.137-generic 3.2.73
  Uname: Linux 3.2.0-97-generic x86_64
  ApportVersion: 2.0.1-0ubuntu17.13
  Architecture: amd64
  Date: Mon Jan 25 13:33:26 2016
  InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
  MarkForUpload: True
  SourcePackage: openldap
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.default.slapd: 2012-10-02T10:07:38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions

References

[Bug 1537762] [NEW] syncrepl does not work when using tls
From: Ian Gordon, 2016-01-25