[Date Prev][Date Next]
(ITS#6246) SSL fails over a network unless slapd runs with -d 2
Full_Name: Ed van Gasteren
Version: 2.4.12 and 2.4.15
OS: linux (Fedora 10, 11)
Submission from: (NULL) (188.8.131.52)
On system lt2 (up to date Fedora 10) I run openldap (2.4.12) server and clients.
The configuration is such that things work as expected even with security
tightened up to "TLSVerifyClient demand". ldapsearch (either to -H ldaps or with
-ZZ), nss and gq with TLS work like a charm.
On system lt1 (up to date Fedora 11) I run openldap clients (2.4.15), gq and
Thunderbird connecting to the server on lt2. TLS/SSL only works if I run slapd
with "-d 2". If I run slapd without it then ldapsearch hangs on "TLS trace:
SSL_connect:SSLv3 read server certificate A".
Seems as if the normal code path has a flaw which gets corrected/bypassed by the
What puzzels me is that I find few references (google) to these kind of problems
as if nobody uses it this way.
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412706 There they blame it on
GnuTLS. Here the symptoms are similar but GnuTLS is not in the picture.
- I have searched the openldap Mailing Lists archives for "ssl;client;server;-d
2". That gives a few hits with very similar problems but the threads provide no
I can provide loads of additional detail about my configuration and debug output
of the server and the ldapsearch client but I prefer to get some pointers about
what to test, look for or provide.