[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4144) Strange problem in client libs with SSL connect

Hmmm. I can finally reproduce your "strange #1" log with OpenLDAP software.

$ ldapsearch -x -H "ldaps://ldap.nbcs.rutgers.edu/" -b "dc=rutgers,dc=edu" -d -1
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP ldap.nbcs.rutgers.edu:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_bind: Can't contact LDAP server (-1)

To get the above trace, I commented out both TLS_CACERT and TLS_CACERTDIR.
(I never saw it before because I usually used StartTLS, which does not
look the same.) I'd check the CA option processing. OpenLDAP's debug
options don't really show the client parsing of ldap.conf nor CAs (as you
can see above), so some quality time with a debugger or truss/{s,l}trace
might be in order.

I might also try for workarounds. For instance, I'd try putting both your
intermediate and final certs into a file and configuring it as your
TLS_CACERT. e.g., there might just be a bug with CACERTDIR processing. Not
that that shouldn't be tracked down, but at least that could get things
working in the meantime. And as you point out, there might be something
with the X.509 extensions you have. I recognize that you wouldn't want to
share your certs with the world, but if you could come up with certs or
instructions for the ever-popular Snake Oil Authority to issue the same
extensions/intermediate chain/etc., that could be a good thing.