SSL/TLS again

[Linus Lund <linus@island.liu.se>]

Hi all,

Im trying to get my SSL/TLS things to work with ldap, e.g. I'd like 
ldapsearch -H ldaps://ldap.example.com to return entries. This command 
works if I execute it on the same machine as the ldap server resides. 
But not on an other client!

First of all, my configuration:
slapd.conf contains
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+TLSv1:+SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cert/ca-certificate.pem
TLSCertificateFile /usr/local/etc/openldap/cert/certificate.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cert/ldap.key
TLSVerifyClient never

ldap.conf (on both machines)
TLS_REQCERT never
TLS_CACERT /usr/local/etc/openldap/cert2/ca-certificate.pem

First I try to search on the "server-computer". This works fine, both 
with -H ldaps://ldapserver and -ZZ. I also try to run openssl s_client 
-connect ldap.example.com:636, this returns ok.

Then I move to the other computer.
Running openssl s_client -connect ldap.example.com:636 returns
10097:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:226:

adding -ssl2 to the openssl command lines returns
Verify return code: 0 (ok)

Running ldapserach -H ldaps://ldap.example.com returns
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=0

TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.

I've alse tried to run openssl s_server with the same certs as the 
ldapserver uses on the "servercomputer", then I try to connect with both 
ldapsearch and openssl s_client, both works fine!

What could make things go wrong here? I'm using exactly the same 
configuration, ca-files on both machines. I have the same openssl 
version on both machines. I have OpenLDAP 2.2.26 on both machines.

Any help would be much appreciated!