Wrong documentation for TLSCipherSuite

Can anyone explain what the syntax is for using more than one cipher with gnutls TLSCipherSuite?

Using a colon separated list fails even when the individual items from the list work as single ciphers. That is to say:

TLSCipherSuite FOO

works and

TLSCipherSuite BAR

works but

TLSCipherSuite FOO:BAR

results in slapd not starting up.

Hi,

I was wondering if you were still having this problem.

Regards
chuck

I am not having this problem in Hardy with slapd 2.4.9-0ubuntu0.8.04.3.

Jaunty uses a newer libgnutls option. The slapd.conf man page (and slapd-conf man page) still says you can find cipher names for TLSCipherSuite (and olcTLSCipherSuite) by running "gnutls-cli -l" but names output by that command are not accepted as options for TLSCipherSuite. This is a bug in the documentation.

If you look through the libgnutls source code (file gnutls26-2.4.2/lib/gnutls_priority.c function gnutls_priority_init() ) reveals option names.

As an example, this syntax is accepted by slapd if you use slapd.conf on Jaunty:

TLSCipherSuite SECURE256:SECURE128

but OpenLDAP on Hardy could use

TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1:TLS_RSA_ARCFOUR_MD5

and now slapd on Jaunty will not start if you try that despite what the manual page says about TLSCipherSuite accepting ciphers that "gnutls-cli -l" outputs.

Names and descriptions of the cipher suites supported by the libgnutls26 package on Jaunty and Karmic are available here:

http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-priority-init

Thanks for the response.

Regards
chuck

In OpenLDAP 2.4.24, the man pages were updated to clarify the TLSCipherSuite option and to point to the gnutls-cli(1) man page as the authority on GnuTLS priority strings. Marking fixed.