[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd + TLS + verify client is not working as expected


i'm using slapd 2.3.30 on a Ubuntu 7.04 AMD64 machine and i've have some 
trouble to get it running with TLS. 
When the slapd daemon is started during the system start-up i cannot connect 
to the LDAP server with TLS. After a long search i figured out, that the 
slapd daemon requests a client certificate, but i haven't configured the 
server to do so. Here is the TLS configuration of slapd:

TLSVerifyClient never
TLSCACertificateFile /etc/ldap/certs/root.crt
#TLSCACertificatePath /etc/ldap/certs
TLSCertificateFile /etc/ldap/certs/ldap.arsoft.homeip.net.crt
TLSCertificateKeyFile /etc/ldap/private/ldap.arsoft.homeip.net.pem

And here's what the server says when i connect to it using ldapsearch -x -ZZ
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11): got connid=187
connection_read(11): checking for input on id=187
tls_read: want=5, got=5
  0000:  16 03 01 00 07                                     .....
tls_read: want=7, got=7
  0000:  0b 00 00 03 00 00 00                               .......
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 28                               ......(
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not 
return a certificate s3_srvr.c:2455
connection_read(11): TLS accept failure error=-1 id=187, closing
connection_closing: readying conn=187 sd=11 for close
connection_close: conn=187 sd=11

The interesting thing is, that when i restart the slapd daemon manually, the 
server works fine and TLS is also working.

I don't known if this porblem is really a bug or not, but i don't know how to 
solve this problem by myself. Any help or advise is welcomed.

A. Roth

Attachment: signature.asc
Description: This is a digitally signed message part.