[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS error: fatal: protocol version

To: Howard Chu <hyc@symas.com>
Subject: Re: TLS error: fatal: protocol version
From: Greg Matthews <gmatt@nerc.ac.uk>
Date: Mon, 01 Nov 2004 16:30:33 +0000
Cc: OpenLDAP software list <openldap-software@OpenLDAP.org>
In-reply-to: <41864FE0.6040601@symas.com>
Organization: iTSS
References: <1098953701.11784.33.camel@lea.nerc-wallingford.ac.uk> <881C31C5C6D7E9D3002496D5@cadabra-dsl.stanford.edu> <1099041039.24901.35.camel@lea.nerc-wallingford.ac.uk> <5186746B3C7548CCC9549A4C@[10.0.0.1]> <1099304494.23889.31.camel@lea.nerc-wallingford.ac.uk> <41864FE0.6040601@symas.com>

On Mon, 2004-11-01 at 15:01, Howard Chu wrote:
> If you intend for a particular CA cert to be used systemwide then it 
> should be configured in OpenLDAP's ldap.conf file, not in your personal 
> .ldaprc. If the CA cert has not been made available to your nssldap 
> library then that could be part of the problem.

true, but I have a need to connect to many different remote ldap systems
and while *most* share a common CA I still need to personalise my
.ldaprc file to address this need. The CA cert is available to the
nssldap library.

> That's also possible. Since you say that ldapsearch works, what is the 
> likelihood that your nssldap module is actually linked against a 
> different set of libraries from your OpenLDAP commandline tools?

that is a possibility... I'll need to look further into it, however,
both the openssl and nssldap software packages are standard debian
packages from the sarge revision. It would be bad if they were
mismatched!

> >my workaround to the above problem is to turn of tls_checkpeer which is
> >default behaviour in many distros anyway. Am thinking not many are using
> >this option and perhaps it is broken.
> >  
> >
> No, it works fine in the Symas builds at least. Further discussion of 
> nss/pam_ldap config keywords probably belongs elsewhere, but I'll note 
> that in the Symas builds we discourage all use of the SSL/TLS options in 
> the nss/pam config file. Instead we set those options systemwide in the 
> ldap.conf. Anyone running with tls_checkpeer disabled for such a 
> sensitive security service may as well just turn TLS off and ask to be 
> hacked.

surely the pam/nss config file(s) are completely different and seperate
from the openldap config files so setting tls options in one will not
affect the operation of the other. I have these options in both config
files anyway so that users can use encryption when they wish to bind to
the directory as themselves. The last sentence above is a little harsh I
think... passwords are protected by ACLs, TLS encryption prevents idle
network snooping turning up user/proxy information, of course automount
info is visible for everyone to see (grrr).

As you say, this is getting off topic.

cheer

GREG

-- 
Greg Matthews
iTSS Wallingford	01491 692445

References:
- Re: TLS error: fatal: protocol version
  - From: Greg Matthews <gmatt@nerc.ac.uk>
- Re: TLS error: fatal: protocol version
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: TLS error: fatal: protocol version
Next by Date: Re: Replication Query
Index(es):
- Chronological
- Thread