Search code examples
perlopensslopenldapstarttls

Issue after software update: "Failed to set SSL cipher list error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list: no cipher match"

Several years ago I wrote a Perl CGI script that connects to an openLDAP server and starts TLS when available.

The script was running successfully with openLDAP-2.4.41 of SLES12 SP5 without a problem, but after updating some packages, the script cannot start TLS using $ldap->start_tls any more.

The error message is:

"Failed to set SSL cipher list error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list: no cipher match"

The updates installed were (AFAIK) openldap2-2.4.41-22.5.1 together with libopenssl1_1-1.1.1d-2.54.1. Specifically there was no update for the Perl LDAP modules.

My code does not specify a ciphers list, but is specifies the CA path and used require for certificate verification.

The part of the code that outputs the error message is:

$msg = $ldap->start_tls(%options);
if ($msg->code()) {
    perr($q 'start_TLS() failed: ', $msg->error);
}

A truly odd thing is that a simple test case started on a different server (that should have the same software) succeeds with cipher AES256-GCM-SHA384. Even when I run that script on the same server, it succeeds with the same cipher. The code used in the test case basically is:

my $m = $l->start_tls(verify => 'verify');
$m->code() || print $l->cipher(), "\n";

While looking closer, I noticed that my CA path is /etc/ssl/certs which is a symbolic link to /var/lib/ca-certificates/pem updated about the same time as the other RPM packages. Even when changing the CA path in the CGI to /var/lib/ca-certificates/pem I get the same error.

The web server being used was updated with the other packages, too; it it apache2-2.4.51-35.7.1. The Perl code runs with PerlResponseHandler ModPerl::Registry, and the apache RPM changelog says it was "build against openssl 1.1".

What might be wrong or causing this, and how can I fix it?

Solution

  • As my CGI script magically worked again after having installed current SLES 12 SP5 updates, I must assume that there was a bad update causing the failure.

    Suspecting that the packages causing that might have been apache2, perl, or openssl, I try to find the bad versions:

    apache2-2.4.51-35.7.1 libopenssl1_1-1.1.1d-2.54.1 were probably the bad versions, while libopenssl0_9_8-0.9.8j-106.33.1 apache2-2.4.51-35.13.1 openssl1_0_0-1.0.2p-3.48.1 fixed the problem again.