Re: Strange TLS behaviour with slapd 2.3.30 on Debian Etch

[Howard Chu <hyc@symas.com>]

Fabian Steiner wrote:
> Howard Chu wrote:
> > Fabian Steiner wrote:
> > > Of course, I don't want to hijack the OP's thread but as our problems
> > > seem to be rather similar I can also provide the corresponding slapd log:
> > This looks like a simple configuration error; you have slapd configured to
> > require client certificates and the client didn't send one. Either you need
> > to configure the client with a certificate, or you need to relax the
> > requirement on the server.
> > [...]
>
> In fact, this was also our first assumption after having analyzed the output
> for the very first time but due to our configuration this should't happen:
>
> [...]
> TLSCertificateFile      /etc/ssl-certs/ldap.crt
> TLSCertificateKeyFile   /etc/ssl-certs/ldap.key
> TLSCACertificateFile    /etc/ssl-certs/ca.crt
> TLSVerifyClient never
> [...]
>
> Moreover, this wouldn't explain why it /does/ work for some time (as far as
> our case is concerned it works as long as slapd isn't restarted). Once the
> problem has occured the server has to be rebooted in order to ensure a
> working setup again :-(

The fact that a reboot is required indicates that any problem is not in any 
user-level code. Maybe your /dev/random has run out of entropy, or some other 
underlying system resource is gone. Maybe strace would help here.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/