Finally found the explanation :-)
gnutls on wheezy don't support SHA512 certificates.
The workaround is to disable the TLS1.2 cipher :
Le 17/03/2017 à 10:23, Norbert Gomes a écrit :
Hi I need to change my certificate on a Openldap server (Debian Wheezy with the latest updates (slapd-2.4.31-2+deb7u2) but I'm facing a strange problem using ldaps protocol : With the old certificate, I can use TLS 1.2 Cipher, but with the new one, the TLS 1.2 is not possible I use this nmap command to see what ciphers are proposed : nmap --script ssl-enum-ciphers -p 636 <fqdn> When using the command with the old certificate, the following cipher appears (with also a TLSv1.1 cipher) : | TLSv1.2: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client But when doing the same command, on the same server, with only the certificate files modified, I do not have the TLSv1.2 cipher. And no other configuration change is made on the slapd.conf file. The certificates doesn't contain the cipher instructions, so I don't understand why I have this behavior. Any ideas ? Regards Norbert Gomes