We are using tcl scripts to manage our ldap server, but after upgrading my computer to opensuse leap15, i get
‘protocol not supported’ when I try to do a ‘ldap::secure_connect <ldap.our.domain> 636’. On other systems (eg. sles12.2 )
the scripts still run without problems. If anybody has any ideas, they would be much appreciated!
If you think there’s something wrong with your script code,
Then this is the right forum.
If you think that your script code is correct but something may have happened elsewhere, then you should be posting in the Applications forum (IMO) since I’d consider how your LDAP server is running the most likely culprit.
If I were to hazard a guess,
There might be an SSL/TLS library mis-match.
You can test that by setting up both client and server as LEAP 15, fully updated.
Quite some algorithms used by SSL has been deprecated and disabled by default recently. Your server may be using them. In this case you should consider changing server configuration to use more secure variants.
Yes, that occurred to me too. So I did an openssl s_client to the ldap server on port 636, and it set up a session without problems, with:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
And when, in a tclsh, I give
% tls::ciphers tls1.2
I get a list of ciphers for 1,2 and I can see AES256-GCM-SHA384 included. I don’t know if that is a secure protocol, but I would expect that it would
be enough to enable a session.
Anyway, thanks for answering!
Sounds similar: https://core.tcl.tk/tcllib/tktview?name=7cf9323d38
If suggested fix works for you, you should open bug report on openSUSE bugzilla and reference the upstream bug.
Awesome, this indeed did the trick! I already opened a bug, but I will add this link to it right away. Thanks a million, you made my day!