The mailing list for listmasters using Sympa

[Marco Gaiarin <address@concealed>]

Mandi! "Steve Shipway" (via sympa-users Mailing List)
  In chel di` si favelave...

> From your logs, it seems that the LDAP library is rejecting the TLS mode
> you are specifying ('tls').  The LDAP manual tells me that it should be
> 'tlsv1' or 'tlsv1_2'.
> However, it also appears that Sympa is disallowing 'tlsv1' as an option
> to the 'ssl_version' directive, and only wants 'tls'.

Exactly.


> Checking the code for Sympa 6.2.16, it definitely supports 'tlsv1'.  I
> think you probably have an older 6.1.x or 6.0.x version of Sympa, which
> doesn't correctly handle the tls option any more?  If this is the case,
> then you have 2 options -- either upgrade Sympa, or patch the code (in
> lib/Conf.pm under 6.2 but probably elsewhere in 6.1) to allow 'tlsv1' as
> an option to the ssl_version directive.

As stated in my first message, debian wheezy, eg sympa version
6.1.11~dfsg-5+deb7u2.

I've looked at /usr/share/sympa/lib/Conf.pm, and:

    my %valid_keywords = ('ldap' => {'regexp' => '.*',
                                     'negative_regexp' => '.*',
                                     'host' => 
'[\w\.\-]+(:\d+)?(\s*,\s*[\w\.\-]+(:\d+)?)*',
                                     'timeout' => '\d+',
                                     'suffix' => '.+',
                                     'bind_dn' => '.+',
                                     'bind_password' => '.+',
                                     'get_dn_by_uid_filter' => '.+',
                                     'get_dn_by_email_filter' => '.+',
                                     'email_attribute' => '\w+',
                                     'alternative_email_attribute' => 
'(\w+)(,\w+)*',
                                     'scope' => 'base|one|sub',
                                     'authentication_info_url' => 
'http(s)?:/.*',
                                     'use_ssl' => '1',
                                     'ssl_version' => 
'sslv2/3|sslv2|sslv3|tlsv1',
                                     'ssl_ciphers' => '[\w:]+' },

seems OK. Grepping around for other 'tls' entries i've found and corrected:

root@armitage:~# diff -ud /usr/share/sympa/lib/List.pm.orig 
/usr/share/sympa/lib/List.pm
--- /usr/share/sympa/lib/List.pm.orig   2016-08-30 15:04:12.184832071 +0200
+++ /usr/share/sympa/lib/List.pm        2016-08-30 15:04:25.092859033 +0200
@@ -827,7 +827,7 @@
                                                                            
'gettext_id' => 'use SSL (LDAPS)',
                                                                            
'order' => 2.5,
                                                                        },
-                                                             'ssl_version' 
=> {'format' => ['sslv2','sslv3','tls'],
+                                                             'ssl_version' 
=> {'format' => ['sslv2','sslv3','tlsv1'],
                                                                              
  'default' => 'sslv3',
                                                                              
  'gettext_id' => 'SSL version',
                                                                              
  'order' => 2.5,

But still web interface report 'tls'. I've restarted also apache, and now web
interface correctly report 'tlsv1'.


And user sync now works again. Thanks!!!

-- 
  Non sara` il canto delle sirene che ci innamorera`
  noi lo conosciamo bene, l'abbiamo sentito gia`        (F. De Gregori)