mod_shared_roster_ldap: In state hello received SERVER ALERT: Fatal - Handshake Failure

[stephdl]

Environment

• ejabberd version: 20.12
• Erlang version: erl +V

  [root@ns7loc14 ~]# /opt/ejabberd-20.12/bin/erl +V
  Erlang (SMP,ASYNC_THREADS,HIPE) (BEAM) emulator version 10.3.4

• OS: Linux centos7.9
• Installed from: official rpm from the project

  [root@ns7loc14 ~]# rpm -qa ejabberd
  ejabberd-20.12-0.x86_64

  Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

[root@ns7loc14 ~]# grep -Ev '^$|^\s*#' /etc/ejabberd/ejabberd.yml
loglevel: 4
log_rotate_count: 0
hosts:
  - "nethservertest.org"
define_macro:
  'CERTFILE': "/etc/ejabberd/ejabberd.pem"
  'TLSOPTS':
    - "no_sslv3"
    - "no_tlsv1"
    - "no_tlsv1_1"
    - "cipher_server_preference"
  'CIPHERS': "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:
    +kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!SSLv3:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES"
certfiles:
    - 'CERTFILE'
listen:
  - 
    port: 5222
    ip: "0.0.0.0"
    module: ejabberd_c2s
    protocol_options: 'TLSOPTS'
    starttls: true
    starttls_required: true
    max_stanza_size: 65536
    shaper: c2s_shaper
    access: c2s
    ciphers: 'CIPHERS'
  - 
    port: 5223
    ip: "0.0.0.0"
    module: ejabberd_c2s
    access: c2s
    shaper: c2s_shaper
    tls: true
    protocol_options: 'TLSOPTS'
    max_stanza_size: 65536
    ciphers: 'CIPHERS'
  - 
    port: 5280
    ip: "0.0.0.0"
    module: ejabberd_http
    tls: true
    request_handlers:
      "/websocket": ejabberd_http_ws
      "/api": mod_http_api
      "/bosh": mod_bosh

    captcha: false
    protocol_options: 'TLSOPTS'
    ciphers: 'CIPHERS'
s2s_use_starttls: required
auth_method: external
extauth_program: "/usr/libexec/nethserver/ejabberd-auth"
extauth_pool_size: 4
auth_use_cache: false
api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      - access:
          - allow:
            - ip: "127.0.0.1/8"
            - acl: admin
      - oauth:
        - scope: "ejabberd:admin"
        - access:
          - allow:
              - ip: "127.0.0.1/8"
              - acl: admin
    what:
      - "*"
      - "!stop"
      - "!start"
  "public commands":
    who:
      - ip: "127.0.0.1/8"
    what:
      - "status"
      - "connected_users_number"
acl:
  admin:
    user:
  local:
    user_regexp: ""
  loopback:
    ip:
      - "127.0.0.0/8"
shaper:
  normal: 500000
  fast: 1000000
max_fsm_queue: 10000
shaper_rules:
  max_user_sessions: 10
  max_user_offline_messages:
    - 5000: admin
    - 100
  c2s_shaper:
    - none: admin
    - normal
  s2s_shaper: fast
access_rules:
  local:
    - allow: local
  c2s:
    - deny: blocked
    - allow
  announce:
    - allow: admin
  configure:
    - allow: admin
  muc_create:
    - allow: local
  pubsub_createnode:
    - allow: local
  register:
    - deny
  trusted_network:
    - allow: loopback
language: "en"
allow_contrib_modules: true
modules:
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce: # recommends mod_adhoc
    access: announce
  mod_blocking: {} # requires mod_privacy
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {} # requires mod_adhoc
  mod_disco: {}
  mod_bosh: {}
  mod_last: {}
  mod_muc:
    access:
      - allow
    access_admin:
      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
  mod_muc_admin: {}
  mod_offline:
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  mod_privacy: {}
  mod_private: {}
  mod_pubsub:
    access_createnode: pubsub_createnode
    ignore_pep_from_offline: true
    last_item_cache: false
    plugins:
      - "flat"
      - "pep" # pep requires mod_caps
  mod_register:
    welcome_message:
      subject: "Welcome!"
      body: |-
        Hi.
        Welcome to nethservertest.org XMPP server.
    ip_access: trusted_network
    access: register
  mod_roster: {}
  mod_shared_roster: {}
  mod_vcard:
    search: false
  mod_version: {}
  mod_stream_mgmt: {}
  mod_s2s_dialback: {}
  mod_http_api: {}
  mod_shared_roster_ldap:
     ldap_base: "dc=directory,dc=nh"
     ldap_encrypt: tls
     ldap_tls_verify: false
     ldap_groupattr: "cn"
     ldap_groupdesc: "o"
     ldap_memberattr: "uid"
     ldap_memberattr_format: "%u"
     ldap_password: "V_85617fr2bK3Csj"
     ldap_port: 636
     ldap_rfilter: "(objectClass=posixAccount)"
     ldap_rootdn: "cn=ldapservice,dc=directory,dc=nh"
     ldap_servers: ["192.168.56.12"]
     ldap_ufilter: "(uid=%u)"
     ldap_useruid: "uid"

Errors from error.log/crash.log

No errors from crash.log, only from /var/log/ejabberd/ejabberd.log

2021-01-21 17:58:51.998 [notice] <0.120.0>@lager_file_backend:152 Changed loghwm of /var/log/ejabberd/error.log to 100
2021-01-21 17:58:51.998 [notice] <0.120.0>@lager_file_backend:152 Changed loghwm of /var/log/ejabberd/ejabberd.log to 100
2021-01-21 17:58:52.116 [info] <0.106.0>@ejabberd_config:load:82 Loading configuration from /etc/ejabberd/ejabberd.yml
2021-01-21 17:58:52.333 [warning] <0.106.0>@gen_mod:warn_soft_dep_fail:582 Module mod_mam is recommended for module mod_muc but is not found in the config
2021-01-21 17:58:52.355 [info] <0.106.0>@ejabberd_config:load:89 Configuration loaded successfully
2021-01-21 17:58:52.725 [info] <0.335.0>@gen_mod:start_modules:130 Loading modules for nethservertest.org
2021-01-21 17:58:52.929 [error] <0.433.0>@eldap:connect_bind:1073 LDAP connection to 192.168.56.12:636 failed: received CLIENT ALERT: Fatal - Handshake Failure
2021-01-21 17:58:52.929 [info] <0.442.0> TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure

2021-01-21 17:58:52.988 [info] <0.106.0>@ejabberd_cluster_mnesia:wait_for_sync:123 Waiting for Mnesia synchronization to complete
2021-01-21 17:58:53.038 [warning] <0.359.0>@ejabberd_pkix:log_warnings:393 Invalid certificate in /etc/ejabberd/ejabberd.pem: at line 29: self-signed certificate
2021-01-21 17:58:53.200 [warning] <0.359.0>@ejabberd_pkix:check_domain_certfiles:312 No certificate found matching nethservertest.org
2021-01-21 17:58:53.200 [warning] <0.359.0>@ejabberd_pkix:check_domain_certfiles:312 No certificate found matching conference.nethservertest.org
2021-01-21 17:58:53.201 [warning] <0.359.0>@ejabberd_pkix:check_domain_certfiles:312 No certificate found matching pubsub.nethservertest.org
2021-01-21 17:58:53.201 [info] <0.106.0>@ejabberd_app:start:62 ejabberd 20.12 is started in the node ejabberd@localhost in 1.40s
2021-01-21 17:58:53.201 [warning] <0.451.0>@ejabberd_acme:request_on_start:593 No HTTP listeners for ACME challenges are configured, automatic certificate requests are aborted. Hint: configure the listener and restart/reload ejabberd. Or set acme->auto option to `false` to suppress this warning.
2021-01-21 17:58:53.202 [info] <0.356.0>@ejabberd_listener:init:159 Start accepting TCP connections at 0.0.0.0:5222 for ejabberd_c2s
2021-01-21 17:58:53.202 [info] <0.357.0>@ejabberd_listener:init:159 Start accepting TLS connections at 0.0.0.0:5223 for ejabberd_c2s
2021-01-21 17:58:53.202 [info] <0.358.0>@ejabberd_listener:init:159 Start accepting TLS connections at 0.0.0.0:5280 for ejabberd_http
2021-01-21 17:58:53.438 [info] <0.503.0> TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure

2021-01-21 17:58:53.438 [error] <0.433.0>@eldap:connect_bind:1073 LDAP connection to 192.168.56.12:636 failed: received CLIENT ALERT: Fatal - Handshake Failure
2021-01-21 17:58:53.943 [info] <0.509.0> TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure

2021-01-21 17:58:53.943 [error] <0.433.0>@eldap:connect_bind:1073 LDAP connection to 192.168.56.12:636 failed: received CLIENT ALERT: Fatal - Handshake Failure

Bug description

We provide a server configuration for ejabberd with an account provider that you can use locally or remotely based on samba AD or openldap.

• the ldap ssl over 636 tcp port for samba AD gets no issue
• the ldap in plain text over 389 tcp port gets no issue for openldap

We can bind remotely or locally our applications to openldap in plain text or encrypted therefore we have a workable configuration but ejabberd got an error about tls handshake failure when we try to use ldaps over 636, no matter it is local or remote openldap

If I change the account provider on the same server to samba AD I have no error, so it is not a certificate issue

I read in another issue https://github.com/processone/ejabberd/pull/2344#issuecomment-733726135 and it seems that the downgrade to erlang 19 fixed the issue.

[prefiks]

Could you check if there is anything in logs of your ldap server about this? From that error message it seems that this error is generated by your server, so it's hard to tell on client side what causes it.

[stephdl]

Will check it, no problem on it, our concerns is that we use other applications that bind also to openldap with ssl over 636 port. So normally we should have a workable solution.

Will check and report, thank for your input

[stephdl]

in /var/log/slapd in can see

Jan 22 14:29:03 ns7loc11 slapd[10993]: conn=1271 fd=24 ACCEPT from IP=192.168.56.241:42792 (IP=0.0.0.0:636)
Jan 22 14:29:03 ns7loc11 slapd[10993]: conn=1271 fd=24 closed (TLS negotiation failure)

like in ejabber log

when I test externally my connectivity to my ldap server I have

[root@ns7loc14 ~]# nmap  --script ssl-enum-ciphers 192.168.56.12 -p 636

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-22 14:29 CET
Nmap scan report for ns7loc11.nethservertest.org (192.168.56.12)
Host is up (0.00047s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: weak
MAC Address: 52:54:00:8A:0E:24 (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds

To be sure that my openldap server get the wide cipher audience, I use in /etc/openldap/slapd.d/cn=config.ldif

olcTLSProtocolMin: 3.0
olcTLSCipherSuite: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

What ciphers and ssl protocol eldap is supposed to use ?

[prefiks]

Available ciphers depends mostly on erlang/openssl in your system. Could you running ejabberd debug console: ejabberdctl debug and inside this could you try executing this: ssl:connect("192.168.56.12", 636, [{log_level, debug}]). and see what this produce? You can close console later with double ctrl-c.

[stephdl]

[root@ns7loc14 testssl.sh]# systemctl status  ejabberd
● ejabberd.service - ejabberd XMPP Server
   Loaded: loaded (/usr/lib/systemd/system/ejabberd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-01-22 14:56:51 CET; 1h 5min ago
   CGroup: /system.slice/ejabberd.service
           ├─18492 /opt/ejabberd-20.12/bin/epmd -daemon
           ├─18494 /opt/ejabberd-20.12/bin/beam.smp -K true -P 250000 -- -root /opt/ejabberd-20.12 -progname /opt/ejabberd-20.12/b...
           ├─18502 erl_child_setup 65536
           ├─18532 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
           ├─18533 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
           ├─18534 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
           ├─18535 /usr/bin/perl /usr/libexec/nethserver/ejabberd-auth
           └─18536 /opt/ejabberd-20.12/lib/os_mon-2.4.7/priv/bin/memsup

Jan 22 14:56:48 ns7loc14.nethservertest.org systemd[1]: Starting ejabberd XMPP Server...
Jan 22 14:56:51 ns7loc14.nethservertest.org systemd[1]: Started ejabberd XMPP Server.
[root@ns7loc14 testssl.sh]# /opt/ejabberd-20.12/bin/ejabberdctl debug
--------------------------------------------------------------------

IMPORTANT: we will attempt to attach an INTERACTIVE shell
to an already running ejabberd node.
If an ERROR is printed, it means the connection was not successful.
You can interact with the ejabberd node if you know how to use it.
Please be extremely cautious with your actions,
and exit immediately if you are not completely sure.

To detach this shell from ejabberd, press:
  control+c, control+c

--------------------------------------------------------------------
To bypass permanently this warning, add to ejabberdctl.cfg the line:
  EJABBERD_BYPASS_WARNINGS=true
Press return to continue

Erlang/OTP 21 [erts-10.3.4] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]

Eshell V10.3.4  (abort with ^G)
(ejabberd@localhost)1> ssl:connect("192.168.56.12", 636, [{log_level, debug}]).
{error,{options,{socket_options,[{log_level,debug},
                                 {packet_size,0},
                                 {packet,0},
                                 {header,0},
                                 {active,false},
                                 {mode,binary}]}}}
(ejabberd@localhost)2> ssl:connect("192.168.56.12", 636, [{log_level, debug}]) 
(ejabberd@localhost)2> 

Not sure about the trailing dot, I tested the two cases

[prefiks]

Yeah, dot is needed, but looks like this version of erlang doesn't recognize this option, i think log_level was added only in most recent version.

[stephdl]

(ejabberd@localhost)7> ssl:connect("192.168.56.12", 636, []).
{error,{tls_alert,{handshake_failure,"received CLIENT ALERT: Fatal - Handshake Failure"}}}

not sure it helps, but erlang cannot connect itself :|

[prefiks]

Yes, this is exactly what ldap modules use to communicate over tls, that's why i asked you in first place to try with debug log_level, i was hoping that it show what it tries to negotiate.

[stephdl]

[root@ns7loc14 testssl.sh]# nmap  --script ssl-enum-ciphers 192.168.56.12 -p 636

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-22 17:35 CET
Nmap scan report for ttt.nethservertest.org (192.168.56.12)
Host is up (0.00048s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: weak
MAC Address: 52:54:00:8A:0E:24 (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

testing to use strong cipher with openldap

[root@ns7loc11 ~]# ldapmodify -Y EXTERNAL <<EOF
dn: cn=config
changetype: modify
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.3
EOF

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

like you can see with nmap, my slapd server talk only tls1.2

I wanted to see if eldap wanted to talk only with high ciphers

however it is the same

(ejabberd@localhost)1> ssl:connect("192.168.56.12", 636, []).
{error,{tls_alert,{handshake_failure,"received CLIENT ALERT: Fatal - Handshake Failure"}}}
(ejabberd@localhost)2> 

[stephdl]

Even with a really strict policy, this is a workable bind of dokuwiki for the user admin

Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2070 fd=23 ACCEPT from IP=192.168.56.241:60898 (IP=0.0.0.0:636)
Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2070 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2071 fd=23 ACCEPT from IP=192.168.56.241:49325 (IP=0.0.0.0:636)
Jan 22 17:40:33 ns7loc11 slapd[29957]: conn=2071 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 fd=23 ACCEPT from IP=192.168.56.241:43872 (IP=0.0.0.0:636)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 fd=23 TLS established tls_ssf=256 ssf=256
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=0 BIND dn="cn=ldapservice,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=0 BIND dn="cn=ldapservice,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=0 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 BIND anonymous mech=implicit ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 BIND dn="cn=ldapservice,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 BIND dn="cn=ldapservice,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=1 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=2 SRCH base="ou=People,dc=directory,dc=nh" scope=2 deref=0 filter="(|(uid=admin)(mail=admin))"
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (uid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=3 SRCH base="ou=Groups,dc=directory,dc=nh" scope=2 deref=0 filter="(memberUid=admin)"
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=3 SRCH attr=cn
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (memberUid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 BIND anonymous mech=implicit ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 BIND dn="uid=admin,ou=People,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 BIND dn="uid=admin,ou=People,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=4 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 BIND anonymous mech=implicit ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 BIND dn="cn=ldapservice,dc=directory,dc=nh" method=128
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 BIND dn="cn=ldapservice,dc=directory,dc=nh" mech=SIMPLE ssf=0
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=5 RESULT tag=97 err=0 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=6 SRCH base="ou=People,dc=directory,dc=nh" scope=2 deref=0 filter="(|(uid=admin)(mail=admin))"
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (uid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=7 SRCH base="ou=Groups,dc=directory,dc=nh" scope=2 deref=0 filter="(memberUid=admin)"
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=7 SRCH attr=cn
Jan 22 17:40:34 ns7loc11 slapd[29957]: <= bdb_equality_candidates: (memberUid) not indexed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 op=8 UNBIND
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2072 fd=23 closed
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2073 fd=23 ACCEPT from IP=192.168.56.241:39538 (IP=0.0.0.0:636)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2073 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2074 fd=23 ACCEPT from IP=192.168.56.241:58724 (IP=0.0.0.0:636)
Jan 22 17:40:34 ns7loc11 slapd[29957]: conn=2074 fd=23 closed (TLS negotiation failure)
Jan 22 17:40:35 ns7loc11 slapd[29957]: conn=2075 fd=23 ACCEPT from IP=192.168.56.241:33552 (IP=0.0.0.0:636)
Jan 22 17:40:35 ns7loc11 slapd[29957]: conn=2075 fd=23 closed (TLS negotiation failure)

either my ejabberd configuration is bad, or something doesn't work as expected in ejabberd for openldap

:-?

this is the dokuwiki configuration

$conf['authtype'] = 'authldap';
$conf['plugin'][$conf['authtype']]['server'] = "ldaps://192.168.56.12:636";
$conf['plugin'][$conf['authtype']]['version'] = '3';
$conf['plugin'][$conf['authtype']]['usertree'] = "ou=People,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['grouptree'] = "ou=Groups,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['userfilter'] = '(|(uid=%{user})(mail=%{user}))';
$conf['plugin']['authldap']['groupfilter']  = '(memberUid=%{uid})';
$conf['plugin'][$conf['authtype']]['groupkey'] = 'cn';
$conf['plugin']['authldap']['binddn']     = "cn=ldapservice,dc=directory,dc=nh";
$conf['plugin']['authldap']['bindpw']     = "V_85617fr2bK3Csj";
$conf['plugin']['authldap']['starttls']   = 0;
$conf['plugin']['authldap']['modPass'] = 0;

[nosnilmot]

when I test externally my connectivity to my ldap server I have

That list only includes RSA key-exchange ciphers. Erlang/OTP >= 21 disables those by default.

olcTLSProtocolMin: 3.0 olcTLSCipherSuite: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

I would expect that to include far more than just the RSA key exchange ciphersuites reported by nmap. What does this report for you, on the same system?:

openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW'

[stephdl]

I think we run default of centos 7.9

on the server running openldap

[root@ns7loc11 ~]# openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA1
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA128-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA128-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(128) Mac=SHA1
AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
DH-DSS-SEED-SHA         SSLv3 Kx=DH/DSS   Au=DH   Enc=SEED(128) Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA     SSLv3 Kx=DH/DSS   Au=DH   Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=SHA1
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=MD5 
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5 
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5 

on the server running ejabberd

[root@ns7loc14 ~]# openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA1
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA128-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA128-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(128) Mac=SHA1
AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
DH-DSS-SEED-SHA         SSLv3 Kx=DH/DSS   Au=DH   Enc=SEED(128) Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA     SSLv3 Kx=DH/DSS   Au=DH   Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=SHA1
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=MD5 
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5 
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5 

[nosnilmot]

On RHEL/CentOS OpenLDAP uses NSS for SSL/TLS, not OpenSSL, so that check wasn't particularly useful, sorry.

Do you have a DH Parameter file (olcTLSDHParamFile) configured for OpenLDAP? See https://access.redhat.com/articles/1474813 for how to create one.

[stephdl]

thank for your help, I do not think we have a dh key for our configuration, I will report it

[stephdl]

I think I owe you a beer, when I can pay you something to drink, do you waste time at FOSDEM ?

The key is ER21 expect a dh key, I run a default TLS openldap on Centos7 but without dh key

[root@ns7loc11 ~]# openssl dhparam -out /etc/openldap/certs/slapd.dh.params.tmp 1024
[root@ns7loc11 ~]# mv /etc/openldap/certs/slapd.dh.params.tmp  /etc/openldap/certs/slapd.dh.params
[root@ns7loc11 ~]# ldapmodify -Y EXTERNAL <<EOF
> dn: cn=config
> changetype: modify
> replace: olcTLSDHParamFile
> olcTLSDHParamFile:  /etc/openldap/certs/slapd.dh.params
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

[root@ns7loc11 ~]# ll /etc/openldap/certs/slapd.dh.params
-rw-r--r-- 1 root root 245 Jan 25 16:47 /etc/openldap/certs/slapd.dh.params
[root@ns7loc11 ~]# systemctl restart slapd

[stephdl]

erlang21 expects TLS_DHE_RSA for the tls handshake

[root@ns7loc14 ~]# nmap  --script ssl-enum-ciphers 192.168.56.12 -p 636

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-25 21:48 CET
Nmap scan report for ttt.nethservertest.org (192.168.56.12)
Host is up (0.00048s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong
MAC Address: 52:54:00:E5:55:1E (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds

[stephdl]

I would like to close this issue but I think we could have something to do maybe in the documentation of ejabberd or you think that the documentation already states somewhere for this requirement ?

[stephdl]

We closed the issue on our project, let close this one too, thank again for helping us to fix our issue.