OpenLDAP does not properly negotiate ciphers with clients

Solution Unverified - Updated -


OpenLDAP is not following RFC 5246 when negotiating ciphers for communication.

When the following is set for OpenLDAP:

security ssf=256 tls=256 update_ssf=256 simple_bind=256 update_tls=256
TLSCipherSuite HIGH:-SSLv2

And the following command is run:

openssl s_client -connect localhost:636 -key /etc/pki/private/ -cert /etc/pki/public/ -cipher DHE-RSA-AES256-SHA:ADH-AES256-SHA:ECDHE-RSA-AES128-SHA

Then, the following is output in the system log:

Oct 23 19:05:36 slapd[32576]: conn=1000 fd=13 TLS established tls_ssf=128 ssf=128
Oct 23 19:05:42 slapd[32576]: conn=1001 fd=13 TLS established tls_ssf=128 ssf=128

This should have been a 256 bit cihper. And, since the SSF is set to 256, all communication fails.


  • Red Hat Enterprise Linux 6
  • nss version 3.16.1-4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In