Closed stephdl closed 3 years ago
Could you check if there is anything in logs of your ldap server about this? From that error message it seems that this error is generated by your server, so it's hard to tell on client side what causes it.
Will check it, no problem on it, our concerns is that we use other applications that bind also to openldap with ssl over 636 port. So normally we should have a workable solution.
Will check and report, thank for your input
in /var/log/slapd
in can see
Jan 22 14:29:03 ns7loc11 slapd[10993]: conn=1271 fd=24 ACCEPT from IP=192.168.56.241:42792 (IP=0.0.0.0:636)
Jan 22 14:29:03 ns7loc11 slapd[10993]: conn=1271 fd=24 closed (TLS negotiation failure)
like in ejabber log
when I test externally my connectivity to my ldap server I have
[root@ns7loc14 ~]# nmap --script ssl-enum-ciphers 192.168.56.12 -p 636
Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-22 14:29 CET
Nmap scan report for ns7loc11.nethservertest.org (192.168.56.12)
Host is up (0.00047s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: weak
MAC Address: 52:54:00:8A:0E:24 (QEMU Virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
To be sure that my openldap server get the wide cipher audience, I use in /etc/openldap/slapd.d/cn=config.ldif
olcTLSProtocolMin: 3.0
olcTLSCipherSuite: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
What ciphers and ssl protocol eldap is supposed to use ?
Available ciphers depends mostly on erlang/openssl in your system. Could you running ejabberd debug console: ejabberdctl debug
and inside this could you try executing this: ssl:connect("192.168.56.12", 636, [{log_level, debug}]).
and see what this produce? You can close console later with double ctrl-c.
[root@ns7loc14 testssl.sh]# systemctl status ejabberd
● ejabberd.service - ejabberd XMPP Server
Loaded: loaded (/usr/lib/systemd/system/ejabberd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2021-01-22 14:56:51 CET; 1h 5min ago
CGroup: /system.slice/ejabberd.service
├─18492 /opt/ejabberd-20.12/bin/epmd -daemon
├─18494 /opt/ejabberd-20.12/bin/beam.smp -K true -P 250000 -- -root /opt/ejabberd-20.12 -progname /opt/ejabberd-20.12/b...
├─18502 erl_child_setup 65536
├─18532 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
├─18533 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
├─18534 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
├─18535 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
└─18536 /opt/ejabberd-20.12/lib/os_mon-2.4.7/priv/bin/memsup
Jan 22 14:56:48 ns7loc14.nethservertest.org systemd[1]: Starting ejabberd XMPP Server...
Jan 22 14:56:51 ns7loc14.nethservertest.org systemd[1]: Started ejabberd XMPP Server.
[root@ns7loc14 testssl.sh]# /opt/ejabberd-20.12/bin/ejabberdctl debug
--------------------------------------------------------------------
IMPORTANT: we will attempt to attach an INTERACTIVE shell
to an already running ejabberd node.
If an ERROR is printed, it means the connection was not successful.
You can interact with the ejabberd node if you know how to use it.
Please be extremely cautious with your actions,
and exit immediately if you are not completely sure.
To detach this shell from ejabberd, press:
control+c, control+c
--------------------------------------------------------------------
To bypass permanently this warning, add to ejabberdctl.cfg the line:
EJABBERD_BYPASS_WARNINGS=true
Press return to continue
Erlang/OTP 21 [erts-10.3.4] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]
Eshell V10.3.4 (abort with ^G)
(ejabberd@localhost)1> ssl:connect("192.168.56.12", 636, [{log_level, debug}]).
{error,{options,{socket_options,[{log_level,debug},
{packet_size,0},
{packet,0},
{header,0},
{active,false},
{mode,binary}]}}}
(ejabberd@localhost)2> ssl:connect("192.168.56.12", 636, [{log_level, debug}])
(ejabberd@localhost)2>
Not sure about the trailing dot, I tested the two cases
Yeah, dot is needed, but looks like this version of erlang doesn't recognize this option, i think log_level was added only in most recent version.
(ejabberd@localhost)7> ssl:connect("192.168.56.12", 636, []).
{error,{tls_alert,{handshake_failure,"received CLIENT ALERT: Fatal - Handshake Failure"}}}
not sure it helps, but erlang cannot connect itself :|
Yes, this is exactly what ldap modules use to communicate over tls, that's why i asked you in first place to try with debug log_level, i was hoping that it show what it tries to negotiate.
[root@ns7loc14 testssl.sh]# nmap --script ssl-enum-ciphers 192.168.56.12 -p 636
Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-22 17:35 CET
Nmap scan report for ttt.nethservertest.org (192.168.56.12)
Host is up (0.00048s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: weak
MAC Address: 52:54:00:8A:0E:24 (QEMU Virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
testing to use strong cipher with openldap
[root@ns7loc11 ~]# ldapmodify -Y EXTERNAL <<EOF
dn: cn=config
changetype: modify
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.3
EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
like you can see with nmap, my slapd server talk only tls1.2
I wanted to see if eldap wanted to talk only with high ciphers
however it is the same
(ejabberd@localhost)1> ssl:connect("192.168.56.12", 636, []).
{error,{tls_alert,{handshake_failure,"received CLIENT ALERT: Fatal - Handshake Failure"}}}
(ejabberd@localhost)2>
Even with a really strict policy, this is a workable bind of dokuwiki for the user admin
Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2070 fd=23 ACCEPT from IP=192.168.56.241:60898 (IP=0.0.0.0:636)
Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2070 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2071 fd=23 ACCEPT from IP=192.168.56.241:49325 (IP=0.0.0.0:636)
Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2071 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 fd=23 ACCEPT from IP=192.168.56.241:43872 (IP=0.0.0.0:636)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 fd=23 TLS established tls_ssf=256 ssf=256
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=0 BIND dn="cn=ldapservice,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=0 BIND dn="cn=ldapservice,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=0 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 BIND anonymous mech=implicit ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 BIND dn="cn=ldapservice,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 BIND dn="cn=ldapservice,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=2 SRCH base="ou=People,dc=directory,dc=nh" scope=2 deref=0 filter="(|(uid=admin)(mail=admin))"
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (uid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=3 SRCH base="ou=Groups,dc=directory,dc=nh" scope=2 deref=0 filter="(memberUid=admin)"
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=3 SRCH attr=cn
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (memberUid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 BIND anonymous mech=implicit ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 BIND dn="uid=admin,ou=People,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 BIND dn="uid=admin,ou=People,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 BIND anonymous mech=implicit ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 BIND dn="cn=ldapservice,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 BIND dn="cn=ldapservice,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=6 SRCH base="ou=People,dc=directory,dc=nh" scope=2 deref=0 filter="(|(uid=admin)(mail=admin))"
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (uid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=7 SRCH base="ou=Groups,dc=directory,dc=nh" scope=2 deref=0 filter="(memberUid=admin)"
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=7 SRCH attr=cn
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (memberUid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=8 UNBIND
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 fd=23 closed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2073 fd=23 ACCEPT from IP=192.168.56.241:39538 (IP=0.0.0.0:636)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2073 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2074 fd=23 ACCEPT from IP=192.168.56.241:58724 (IP=0.0.0.0:636)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2074 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:35 ns7loc11 slapd[29957]: conn=2075 fd=23 ACCEPT from IP=192.168.56.241:33552 (IP=0.0.0.0:636)
Jan 22 17:40:35 ns7loc11 slapd[29957]: conn=2075 fd=23 closed (TLS negotiation failure)
either my ejabberd configuration is bad, or something doesn't work as expected in ejabberd for openldap
:-?
this is the dokuwiki configuration
$conf['authtype'] = 'authldap';
$conf['plugin'][$conf['authtype']]['server'] = "ldaps://192.168.56.12:636";
$conf['plugin'][$conf['authtype']]['version'] = '3';
$conf['plugin'][$conf['authtype']]['usertree'] = "ou=People,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['grouptree'] = "ou=Groups,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['userfilter'] = '(|(uid=%{user})(mail=%{user}))';
$conf['plugin']['authldap']['groupfilter'] = '(memberUid=%{uid})';
$conf['plugin'][$conf['authtype']]['groupkey'] = 'cn';
$conf['plugin']['authldap']['binddn'] = "cn=ldapservice,dc=directory,dc=nh";
$conf['plugin']['authldap']['bindpw'] = "V_85617fr2bK3Csj";
$conf['plugin']['authldap']['starttls'] = 0;
$conf['plugin']['authldap']['modPass'] = 0;
when I test externally my connectivity to my ldap server I have
That list only includes RSA key-exchange ciphers. Erlang/OTP >= 21 disables those by default.
olcTLSProtocolMin: 3.0 olcTLSCipherSuite: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
I would expect that to include far more than just the RSA key exchange ciphersuites reported by nmap. What does this report for you, on the same system?:
openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW'
I think we run default of centos 7.9
on the server running openldap
[root@ns7loc11 ~]# openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DH-RSA-AES256-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256
DH-DSS-AES256-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DH-RSA-AES256-SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA1
DH-DSS-AES256-SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
DH-RSA-CAMELLIA256-SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(256) Mac=SHA1
AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
DH-RSA-AES128-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA256
DH-DSS-AES128-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
DH-RSA-AES128-SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA1
DH-DSS-AES128-SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA128-SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA128-SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(128) Mac=SHA1
AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
DH-RSA-SEED-SHA SSLv3 Kx=DH/RSA Au=DH Enc=SEED(128) Mac=SHA1
DH-DSS-SEED-SHA SSLv3 Kx=DH/DSS Au=DH Enc=SEED(128) Mac=SHA1
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA SSLv3 Kx=DH/RSA Au=DH Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA SSLv3 Kx=DH/DSS Au=DH Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=SHA1
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=MD5
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1
ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1
ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
on the server running ejabberd
[root@ns7loc14 ~]# openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DH-RSA-AES256-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256
DH-DSS-AES256-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DH-RSA-AES256-SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA1
DH-DSS-AES256-SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
DH-RSA-CAMELLIA256-SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(256) Mac=SHA1
AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
DH-RSA-AES128-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA256
DH-DSS-AES128-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
DH-RSA-AES128-SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA1
DH-DSS-AES128-SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA128-SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA128-SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(128) Mac=SHA1
AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
DH-RSA-SEED-SHA SSLv3 Kx=DH/RSA Au=DH Enc=SEED(128) Mac=SHA1
DH-DSS-SEED-SHA SSLv3 Kx=DH/DSS Au=DH Enc=SEED(128) Mac=SHA1
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA SSLv3 Kx=DH/RSA Au=DH Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA SSLv3 Kx=DH/DSS Au=DH Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=SHA1
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=MD5
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1
ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1
ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
On RHEL/CentOS OpenLDAP uses NSS for SSL/TLS, not OpenSSL, so that check wasn't particularly useful, sorry.
Do you have a DH Parameter file (olcTLSDHParamFile
) configured for OpenLDAP? See https://access.redhat.com/articles/1474813 for how to create one.
thank for your help, I do not think we have a dh key for our configuration, I will report it
I think I owe you a beer, when I can pay you something to drink, do you waste time at FOSDEM ?
The key is ER21 expect a dh key, I run a default TLS openldap on Centos7 but without dh key
[root@ns7loc11 ~]# openssl dhparam -out /etc/openldap/certs/slapd.dh.params.tmp 1024
[root@ns7loc11 ~]# mv /etc/openldap/certs/slapd.dh.params.tmp /etc/openldap/certs/slapd.dh.params
[root@ns7loc11 ~]# ldapmodify -Y EXTERNAL <<EOF
> dn: cn=config
> changetype: modify
> replace: olcTLSDHParamFile
> olcTLSDHParamFile: /etc/openldap/certs/slapd.dh.params
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
[root@ns7loc11 ~]# ll /etc/openldap/certs/slapd.dh.params
-rw-r--r-- 1 root root 245 Jan 25 16:47 /etc/openldap/certs/slapd.dh.params
[root@ns7loc11 ~]# systemctl restart slapd
erlang21 expects TLS_DHE_RSA
for the tls handshake
[root@ns7loc14 ~]# nmap --script ssl-enum-ciphers 192.168.56.12 -p 636
Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-25 21:48 CET
Nmap scan report for ttt.nethservertest.org (192.168.56.12)
Host is up (0.00048s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
MAC Address: 52:54:00:E5:55:1E (QEMU Virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
I would like to close this issue but I think we could have something to do maybe in the documentation of ejabberd or you think that the documentation already states somewhere for this requirement ?
We closed the issue on our project, let close this one too, thank again for helping us to fix our issue.
Environment
erl +V
Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml
Errors from error.log/crash.log
No errors from crash.log, only from
/var/log/ejabberd/ejabberd.log
Bug description
We provide a server configuration for ejabberd with an account provider that you can use locally or remotely based on samba AD or openldap.
We can bind remotely or locally our applications to openldap in plain text or encrypted therefore we have a workable configuration but ejabberd got an error about tls handshake failure when we try to use ldaps over 636, no matter it is local or remote openldap
If I change the account provider on the same server to samba AD I have no error, so it is not a certificate issue
I read in another issue https://github.com/processone/ejabberd/pull/2344#issuecomment-733726135 and it seems that the downgrade to erlang 19 fixed the issue.