[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6246) SSL fails over a network unless slapd runs with -d 2

Full_Name: Ed van Gasteren
Version: 2.4.12 and 2.4.15
OS: linux (Fedora 10, 11)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

On system lt2 (up to date Fedora 10) I run openldap (2.4.12) server and clients.
The configuration is such that things work as expected even with security
tightened up to "TLSVerifyClient demand". ldapsearch (either to -H ldaps or with
-ZZ), nss and gq with TLS work like a charm.

On system lt1 (up to date Fedora 11) I run openldap clients (2.4.15), gq and
Thunderbird connecting to the server on lt2. TLS/SSL only works if I run slapd
with "-d 2". If I run slapd without it then ldapsearch hangs on "TLS trace:
SSL_connect:SSLv3 read server certificate A".

Seems as if the normal code path has a flaw which gets corrected/bypassed by the
debugging code.

What puzzels me is that I find few references (google) to these kind of problems
as if nobody uses it this way.

- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412706 There they blame it on
GnuTLS. Here the symptoms are similar but GnuTLS is not in the picture.
- I have searched the openldap Mailing Lists archives for "ssl;client;server;-d
2". That gives a few hits with very similar problems but the threads provide no

I can provide loads of additional detail about my configuration and debug output
of the server and the ldapsearch client but I prefer to get some pointers about
what to test, look for or provide.