[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Pls help: ldap_start_tls_s fails



Hi all,

I wrote a simple program that calls ldap_start_s on an HP-UX 11.00 with OpenLDAP 2.1.29.  I put following lines in ldap.conf:

TLS_CACERT /usr/local/etc/openldap/cacert.pem
TLS_REQCERT allow


The program always fails with error: "ldap_start_tls failed: Connect error (91)".   Ssldump on openldap server shows following:

 

---------------------------- cut here ------------------------

1 1  0.0462 (0.0462)  C>S SSLv2 compatible client hello
  Version 3.1 
  cipher suites
  Unknown value 0x39  
  Unknown value 0x38  
  Unknown value 0x35  
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  
  TLS_RSA_WITH_3DES_EDE_CBC_SHA  
  SSL2_CK_3DES  
  Unknown value 0x33  
  Unknown value 0x32  
  Unknown value 0x2f  
  TLS_RSA_WITH_IDEA_CBC_SHA  
  SSL2_CK_IDEA  
  SSL2_CK_RC2  
  TLS_DHE_DSS_WITH_RC4_128_SHA  
  TLS_RSA_WITH_RC4_128_SHA  
  TLS_RSA_WITH_RC4_128_MD5  
  SSL2_CK_RC4  
  SSL2_CK_RC464  
  TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA  
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA  
  TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5  
  TLS_DHE_RSA_WITH_DES_CBC_SHA  
  TLS_DHE_DSS_WITH_DES_CBC_SHA  
  TLS_RSA_WITH_DES_CBC_SHA  
  SSL2_CK_DES  
  TLS_DHE_DSS_WITH_RC2_56_CBC_SHA  
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA  
  TLS_RSA_EXPORT1024_WITH_RC4_56_MD5  
  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  
  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  
  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA  
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5  
  SSL2_CK_RC2_EXPORT40  
  TLS_RSA_EXPORT_WITH_RC4_40_MD5  
  SSL2_CK_RC4_EXPORT40  
1 2  0.0468 (0.0005)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          b9 09 75 14 9b 59 8c e9 4a 69 af 03 30 5e 8a 70 
          f2 66 f7 8a 8b 74 49 d1 d2 a3 e6 9a 8d 16 f2 bb 
        cipherSuite         TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
1 3  0.0469 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0469 (0.0000)  S>C  Handshake
      ServerHelloDone
1    0.0775 (0.0305)  C>S  TCP FIN
1    0.0777 (0.0002)  S>C  TCP FIN
---------------------------- cut here ------------------------

 

 

However, "ldapsearch -ZZ" on the same machine works.  Same results obtained when I tried different LDAP servers (OpenLDAP and SunDS).

 

Please help.  Thanks a lot.

/ST Wong