[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS error: fatal: protocol version
- To: OpenLDAP software list <openldap-software@OpenLDAP.org>
- Subject: Re: TLS error: fatal: protocol version
- From: Greg Matthews <gmatt@nerc.ac.uk>
- Date: Mon, 01 Nov 2004 10:21:34 +0000
- In-reply-to: <5186746B3C7548CCC9549A4C@[10.0.0.1]>
- Organization: iTSS
- References: <1098953701.11784.33.camel@lea.nerc-wallingford.ac.uk> <881C31C5C6D7E9D3002496D5@cadabra-dsl.stanford.edu> <1099041039.24901.35.camel@lea.nerc-wallingford.ac.uk> <5186746B3C7548CCC9549A4C@[10.0.0.1]>
On Fri, 2004-10-29 at 18:35, Quanah Gibson-Mount wrote:
> Okay, well, you might want to upgrade off of 0.9.7c since it has security
> issues. What is the ldapsearch command you are running when you get this
> error? I read through your original post, and I don't see that bit of
> information included...
guess my mail wasnt clear enough. This error occurs when using
tls_checkpeer in the libnss-ldap config file (this would be
/etc/ldap.conf on a redhat box but this is debian). ie when validating
the server certificate against the CA cert when doing nss lookups. When
using -ZZ in an ldapsearch, no such error occurs even with the exact
same config in my .ldaprc file pointing at the exact same cert. This
suggests to me that my certs are ok (they've worked for a year or more
in production!). However, as the logs are from the openldap server, this
an openldap error message and I was hoping someone would know what it
meant.
btw, I'm aware of the security risk with openssl 0.9.7c but I am not
immediately concerned. But perhaps the error is due to different
versions of a negotiated protocol?
my workaround to the above problem is to turn of tls_checkpeer which is
default behaviour in many distros anyway. Am thinking not many are using
this option and perhaps it is broken.
>
> --Quanah
GREG
--
Greg Matthews
iTSS Wallingford 01491 692445