dovecot - Mar 2017 - Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]

I have also tested with 2.2.28 and this version has the same issue.

The finding of compatible ciphers is not the problem because I have 
uncommented the ldap entrys:
TLSCipherSuite          
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
TLSProtocolMin          3.1

Maybe you have further ideas.

Am 2017-03-20 17:42, schrieb Aki Tuomi:
>> On March 20, 2017 at 5:28 PM info at gwarband.de wrote:
>> 
>> 
>> Can sombody say something about this request?
>> 
>> This is an email from the openldap-technical mailinglist from 
>> openldap.
>> 
>> Systemdetails are mention in the other email.
>> 
>> -------- Originalnachricht --------
>> Betreff: Re: Dovecot can't connect to openldap over starttls
>> Datum: 2017-03-20 16:18
>> Absender: Dan White <dwhite at cafedemocracy.org>
>> Empf?nger: info at gwarband.de
>> Kopie: openldap-technical at openldap.org
>> 
>> On 03/20/17 16:06 +0100, info at gwarband.de wrote:
>>>> Debug Dovecot's implementation of ldap_start_tls_s().
>>> I don't have any idea how to set a higher debug level to
dovecot. In
>>> my opinion I have the highest. So I can't deliver a greater
log.
>> 
>> I recommend consulting Dovecot's advice on how to run a debugger,
or
>> dig
>> into the code which calls libldap.
> 
> Hi!
> I just ran a quick test, and following things are needed:
> 
> uris = ldap://ldap.host.com
> tls = yes
> tls_ca_cert_file = /path/to/cert-bundle.crt
> 
> this has been tested with 2.2.28, and works just fine. Not sure why
> you are having issues.
> 
> Of course this could be anything between not finding compatible
> ciphers to the LDAP server actually expecting client certificate, what
> with the logs not actually being too verbose unfortunately. There
> isn't too much to "debug" in Dovecot's TLS
implementation, it's not
> doing anything fancy asides from calling the ldap_start_tls_s.
> 
> I am not sure what debugging you could try further.
> 
> Aki

Well, those actually *reduce* the possible algorithms that can be used, so
uncommenting those can make things worse.

Anyways, your pcap seems incomplete, can you try again?

Aki
> On March 20, 2017 at 8:14 PM info at gwarband.de wrote:
> 
> 
> I have also tested with 2.2.28 and this version has the same issue.
> 
> The finding of compatible ciphers is not the problem because I have 
> uncommented the ldap entrys:
> TLSCipherSuite          
> SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
> TLSProtocolMin          3.1
> 
> Maybe you have further ideas.
> 
> Am 2017-03-20 17:42, schrieb Aki Tuomi:
> >> On March 20, 2017 at 5:28 PM info at gwarband.de wrote:
> >> 
> >> 
> >> Can sombody say something about this request?
> >> 
> >> This is an email from the openldap-technical mailinglist from 
> >> openldap.
> >> 
> >> Systemdetails are mention in the other email.
> >> 
> >> -------- Originalnachricht --------
> >> Betreff: Re: Dovecot can't connect to openldap over starttls
> >> Datum: 2017-03-20 16:18
> >> Absender: Dan White <dwhite at cafedemocracy.org>
> >> Empf?nger: info at gwarband.de
> >> Kopie: openldap-technical at openldap.org
> >> 
> >> On 03/20/17 16:06 +0100, info at gwarband.de wrote:
> >>>> Debug Dovecot's implementation of ldap_start_tls_s().
> >>> I don't have any idea how to set a higher debug level to
dovecot. In
> >>> my opinion I have the highest. So I can't deliver a
greater log.
> >> 
> >> I recommend consulting Dovecot's advice on how to run a
debugger, or
> >> dig
> >> into the code which calls libldap.
> > 
> > Hi!
> > I just ran a quick test, and following things are needed:
> > 
> > uris = ldap://ldap.host.com
> > tls = yes
> > tls_ca_cert_file = /path/to/cert-bundle.crt
> > 
> > this has been tested with 2.2.28, and works just fine. Not sure why
> > you are having issues.
> > 
> > Of course this could be anything between not finding compatible
> > ciphers to the LDAP server actually expecting client certificate, what
> > with the logs not actually being too verbose unfortunately. There
> > isn't too much to "debug" in Dovecot's TLS
implementation, it's not
> > doing anything fancy asides from calling the ldap_start_tls_s.
> > 
> > I am not sure what debugging you could try further.
> > 
> > Aki

I have a new pcap from beginning to the end with openldap "TLS 
negoiation failed"

https://gwarband.de/openldap/tracefile.dump

The sourceports are 45376 and 45377

Tobias

Am 2017-03-20 19:59, schrieb Aki Tuomi:
> Well, those actually *reduce* the possible algorithms that can be
> used, so uncommenting those can make things worse.
> 
> Anyways, your pcap seems incomplete, can you try again?
> 
> Aki
> 
>> On March 20, 2017 at 8:14 PM info at gwarband.de wrote:
>> 
>> 
>> I have also tested with 2.2.28 and this version has the same issue.
>> 
>> The finding of compatible ciphers is not the problem because I have
>> uncommented the ldap entrys:
>> TLSCipherSuite
>> SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
>> TLSProtocolMin          3.1
>> 
>> Maybe you have further ideas.
>> 
>> Am 2017-03-20 17:42, schrieb Aki Tuomi:
>>>> On March 20, 2017 at 5:28 PM info at gwarband.de wrote:
>>>> 
>>>> 
>>>> Can sombody say something about this request?
>>>> 
>>>> This is an email from the openldap-technical mailinglist from
>>>> openldap.
>>>> 
>>>> Systemdetails are mention in the other email.
>>>> 
>>>> -------- Originalnachricht --------
>>>> Betreff: Re: Dovecot can't connect to openldap over
starttls
>>>> Datum: 2017-03-20 16:18
>>>> Absender: Dan White <dwhite at cafedemocracy.org>
>>>> Empf?nger: info at gwarband.de
>>>> Kopie: openldap-technical at openldap.org
>>>> 
>>>> On 03/20/17 16:06 +0100, info at gwarband.de wrote:
>>>>>> Debug Dovecot's implementation of
ldap_start_tls_s().
>>>>> I don't have any idea how to set a higher debug level
to dovecot.
>>>>> In
>>>>> my opinion I have the highest. So I can't deliver a
greater log.
>>>> 
>>>> I recommend consulting Dovecot's advice on how to run a
debugger,
>>>> or
>>>> dig
>>>> into the code which calls libldap.
>>> 
>>> Hi!
>>> I just ran a quick test, and following things are needed:
>>> 
>>> uris = ldap://ldap.host.com
>>> tls = yes
>>> tls_ca_cert_file = /path/to/cert-bundle.crt
>>> 
>>> this has been tested with 2.2.28, and works just fine. Not sure why
>>> you are having issues.
>>> 
>>> Of course this could be anything between not finding compatible
>>> ciphers to the LDAP server actually expecting client certificate, 
>>> what
>>> with the logs not actually being too verbose unfortunately. There
>>> isn't too much to "debug" in Dovecot's TLS
implementation, it's not
>>> doing anything fancy asides from calling the ldap_start_tls_s.
>>> 
>>> I am not sure what debugging you could try further.
>>> 
>>> Aki