ldapclient broken on bloody after 20240706T121049Z

[sjorge]

Seems the ldapclient broke on bloody somewhere after 20240706T121049Z.

With some help on IRC I managed to reduce it to a TLS negotiation issue on newer BEs.

There is also a openldap update in extra since that date 2.6.7 -> 2.6.8, I ruled out this being an issue by testing:

• new BE + openldap 2.6.7 -> broken
• new BE + openldap 2.6.8 -> broken
• old BE + openldap 2.6.7 -> works
• old BE + openldap 2.6.8 -> works

Some more info on IRC: https://log.omnios.org/omnios/2024-08-15#1723722056-844661 this tried based on the IRC conversation:

• openssl s_client --startls ldap => old and new BE generate the same negotiated cipher set against both openldap version: TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
• old BE ldapclient also trigger good log entries in slapd's log TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 matching what openssl s_client also ends up chosing
• new BE triggers TLS Negotation Failure, seeming to indicate something changed w.r.t. ldapclient's TLS config

Some relevant openldap config:

olcTLSProtocolMin: 3.2
olcTLSCipherSuite: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
olcSecurity: tls=1
olcRequires: authc

Disabling TLS in slapd makes ldapclient work again, but this is obviously unacceptable.

[sjorge]

I did go over the list of commits here and nothing related to ldapclient or TLS stood out to me, there were some build flag changes. But I'm no expert on them, but maybe some of the linker flags changed and ldapclient is build without TLS support now? That is my only theory that would explain this, but that one does seem a bit farfetched.