[Date Prev][Date Next] [Chronological] [Thread] [Top]

no TLS 1.2 after changing certificate

To: openldap-technical@openldap.org
Subject: no TLS 1.2 after changing certificate
From: Norbert Gomes <norbert.gomes@univ-orleans.fr>
Date: Fri, 17 Mar 2017 10:23:46 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0

Hi

I need to change my certificate on a Openldap server (Debian Wheezy with
the latest updates (slapd-2.4.31-2+deb7u2) but I'm facing a strange
problem using ldaps protocol :

With the old certificate, I can use TLS 1.2 Cipher, but with the new
one, the TLS 1.2 is not possible

I use this nmap command to see what ciphers are proposed :
nmap --script ssl-enum-ciphers -p 636 <fqdn>


When using the command with the old certificate, the following cipher
appears (with also a TLSv1.1 cipher) :

|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client


But when doing the same command, on the same server, with only the
certificate files modified, I do not have the TLSv1.2 cipher. And no
other configuration change is made on the slapd.conf file.


The certificates doesn't contain the cipher instructions, so I don't
understand why I have this behavior.
Any ideas ?

Regards

Norbert Gomes

Follow-Ups:
- Re: no TLS 1.2 after changing certificate
  - From: Norbert Gomes <norbert.gomes@univ-orleans.fr>

Prev by Date: Re: Antw: Re: synrepl error 69
Next by Date: Re: no TLS 1.2 after changing certificate
Index(es):
- Chronological
- Thread