During the upgrade of Openssl and OpenLDAP on Windows Servers 2016 & 2019, from Openssl 1.1.1k and OpenLDAP 2.4.47 to Openssl 3.0.10 and OpenLDAP 2.5.16, an error has emerged. Despite validating certificates and ensuring TLS protocol version 1.2 for communication with the LDAP server, the error persists. The connection to the LDAP server is established via the Windows API. Is there any recommended CipherSuite for this migration?
Error Log:
TLS trace: SSL_accept:before SSL initialization
TLS trace: SSL_accept:SSLv3/TLS read client hello
TLS trace: SSL_accept:SSLv3/TLS write server hello
TLS trace: SSL_accept:SSLv3/TLS write certificate
TLS trace: SSL_accept:SSLv3/TLS write key exchange
TLS trace: SSL_accept:SSLv3/TLS write certificate request
tls_write: want=1800, written=1800
TLS trace: SSL_accept:SSLv3/TLS write server done
tls_read: want=5 error=Unknown error
TLS trace: SSL_accept:error in SSLv3/TLS write server done
daemon: activity on 1 descriptor
daemon: waked
daemon: WSselect: listen=2 active_threads=0 tvp=NULL
daemon: activity on 4 descriptors
daemon: activity on:656830b0.2bc5f387 000027C0 3r656830b0.2bc7812f 000027C0
daemon: read activity on 3
daemon: WSselect: listen=2 active_threads=0 tvp=NULL
connection_get(3)
connection_get(3): got connid=1000
connection_read(3): checking for input on id=1000
tls_read: want=5, got=0
TLS trace: SSL_accept:error in SSLv3/TLS write server done
TLS: can't accept: (unknown).
connection_read(3): TLS accept failure error=-1 id=1000, closing
connection_closing: readying conn=1000 sd=3 for close
daemon: activity on 1 descriptor
daemon: waked
daemon: WSselect: listen=2 active_threads=0 tvp=NULL
connection_close: conn=1000 sd=3
daemon: removing 3
conn=1000 fd=3 closed (TLS negotiation failure)
Registry entries:
[...\SCHANNEL\Protocols]
[...\SCHANNEL\Protocols\SSL 2.0]
[...\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[...\SCHANNEL\Protocols\SSL 3.0]
[...\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[...\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault "=dword:00000001
[...\SCHANNEL\Protocols\TLS 1.0]
[...\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[...\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[...\SCHANNEL\Protocols\TLS 1.2]
[...\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[...\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[...\SCHANNEL\Protocols\TLS 1.3]
[...\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[...\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
Slapd.conf file:
include D:/Test/schema/core.schema
include D:/Test/schema/test.schema
security ssf=256