Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Net::LDAPS using weak encryption?

26 views

Skip to first unread message

Gregory K . Ruiz-Ade

unread,

Aug 18, 2008, 12:56:15 PM8/18/08

to perl...@perl.org

I'm using a custom perl script, using perl-ldap (Net::LDAP).

When I connect with the script to the ldaps:// server, I get this in
the logs:

Aug 15 16:57:14 csenet slapd2.3[4105]: conn=1326 fd=15 TLS established
tls_ssf=56 ssf=56
Aug 15 16:57:14 csenet slapd2.3[4105]: conn=1326 op=0 BIND
dn="<binddn>" method=128
Aug 15 16:57:14 csenet slapd2.3[4105]: conn=1326 op=0 RESULT tag=97
err=13 text=stronger confidentiality required

The truly confusing part is when I do an ldapsearch (instead of trying
the perl script) it works correctly:

Aug 15 17:00:08 csenet slapd2.3[4105]: conn=1331 fd=15 TLS established
tls_ssf=256 ssf=256
Aug 15 17:00:08 csenet slapd2.3[4105]: conn=1331 op=0 BIND
dn="<binddn>" method=128
Aug 15 17:00:08 csenet slapd2.3[4105]: conn=1331 op=0 BIND
dn="<binddn>" mech=SIMPLE ssf=0
Aug 15 17:00:08 csenet slapd2.3[4105]: conn=1331 op=0 RESULT tag=97
err=0 text=

Both connections are to port 636 (LDAP/SSL).

Anyone have any ideas why perl-ldap/Net::LDAP would be using such
weaker encryption? I've got all the necessary certificates properly
installed for openssl.

Is there a configuration option that changed from version 0.31 (on our
RHEL/CentOS 4 systems, where everything works) to 0.33 (on our RHEL/
CentOS 5 systems, where this doesn't work)?

I had been simply calling Net::LDAP->new() with the ldaps:// URI
before, but have tried Net::LDAPS->new() with various options set, to
no effect. What am I missing?

Thanks,

Gregory

--
Gregory K. Ruiz-Ade
Sr. Systems Administrator
Computer Science and Engineering
University of California, San Diego
Office: EBU3b 1216
Phone: (858) 822-2625
E-mail: gk...@cs.ucsd.edu

Gregory K. Ruiz-Ade

unread,

Aug 18, 2008, 1:42:31 PM8/18/08

to perl...@perl.org

On Aug 18, 2008, at 9:56 AM, Gregory K.Ruiz-Ade wrote:

> Anyone have any ideas why perl-ldap/Net::LDAP would be using such
> weaker encryption? I've got all the necessary certificates properly
> installed for openssl.
>
> Is there a configuration option that changed from version 0.31 (on
> our RHEL/CentOS 4 systems, where everything works) to 0.33 (on our

> RHEL/CentOS 5 systems, where this doesn't work)?

Turns out I needed to add the option:

ciphers => 'HIGH'

to my Net::LDAPS->new() call.

Works perfectly now.

Apparently the defaults changed somewhere in the differences between
RHEL4 and RHEL5.

0 new messages