[Bug 317401] Re: Wrong documentation for TLSCipherSuite

nutznboltz kstailey at yahoo.com
Wed Oct 28 20:11:53 GMT 2009


Jaunty uses a newer libgnutls option.  The slapd.conf man page (and
slapd-conf man page) still says you can find cipher names for
TLSCipherSuite (and olcTLSCipherSuite) by running "gnutls-cli -l" but
names output by that command are not accepted as options for
TLSCipherSuite.  This is a bug in the documentation.

If you look through the libgnutls source code (file
gnutls26-2.4.2/lib/gnutls_priority.c function gnutls_priority_init() )
reveals option names.

As an example, this syntax is accepted by slapd if you use slapd.conf on
Jaunty:

TLSCipherSuite          SECURE256:SECURE128

but OpenLDAP on Hardy could use

TLSCipherSuite          TLS_RSA_AES_256_CBC_SHA1:TLS_RSA_ARCFOUR_MD5

and now slapd on Jaunty will not start if you try that despite what the
manual page says about TLSCipherSuite accepting ciphers that "gnutls-cli
-l" outputs.

-- 
Wrong documentation for TLSCipherSuite
https://bugs.launchpad.net/bugs/317401
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap2.3 in ubuntu.



More information about the Ubuntu-server-bugs mailing list