Re: TLS error: fatal: protocol version

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 02:21 AM 11/1/2004, Greg Matthews wrote:
>On Fri, 2004-10-29 at 18:35, Quanah Gibson-Mount wrote:
>
>> Okay, well, you might want to upgrade off of 0.9.7c since it has security 
>> issues.  What is the ldapsearch command you are running when you get this 
>> error?  I read through your original post, and I don't see that bit of 
>> information included...
>
>guess my mail wasnt clear enough. This error occurs when using
>tls_checkpeer in the libnss-ldap config file (this would be
>/etc/ldap.conf on a redhat box but this is debian). ie when validating
>the server certificate against the CA cert when doing nss lookups. When
>using -ZZ in an ldapsearch, no such error occurs even with the exact
>same config in my .ldaprc file pointing at the exact same cert. This
>suggests to me that my certs are ok (they've worked for a year or more
>in production!). However, as the logs are from the openldap server, this
>an openldap error message and I was hoping someone would know what it
>meant.

Actually, its an OpenSSL error message string that slapd(8) is making
available to the logs as a result of some OpenSSL error.  As to why
OpenSSL had an error and return this string error message is really
a question for an OpenSSL list <openssl-users@openssl.org>.

As you note that ldapsearch(1) is working just fine, it would
seem your problem lies in NSS/LDAP and/or its configuration.
The NSS/LDAP mailing list <nssldap@padl.com> is the place to
discuss such problems.

Kurt