Re: Still getting TLS errors with 2.3.11

["Dieter Kluenter" <dieter@dkluenter.de>]

Hi,

Andreas Hasenack <ahasenack@terra.com.br> writes:

> I reviewed ITS#4082 and I have that patch applied in tls.c (I'm running 2.3.11 
> which has it). However, I still get TLS errors when using "ldapsearch -ZZ":
> connection_get(13)
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=0
>
> TLS: can't accept.
> connection_read(13): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=13 for close
> connection_close: conn=0 sd=13
> daemon: removing 13
> conn=0 fd=13 closed (TLS negotiation failure)
>
> The client (ldapsearch) displays "ldap_start_tls: Connect error (-11)",
>
>
> ldapsearch -H ldaps:// also doesn't work:
> connection_get(14)
> connection_get(14): got connid=1
> connection_read(14): checking for input on id=1
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=0
>
> TLS: can't accept.
> connection_read(14): TLS accept error error=-1 id=1, closing
> connection_closing: readying conn=1 sd=14 for close
> connection_close: conn=1 sd=14
> daemon: removing 14
> conn=1 fd=14 closed (TLS negotiation failure)
>
> Here the client displays "ldap_bind: Can't contact LDAP server (-1)"

I just experienced the same problem and it took me a few minutes to find
the reason, which resulted in

TLS trace: SSL3 alert read:fatal:certificate expired
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired s3_pkt.c:1052
connection_read(15): TLS accept error error=-1 id=1, closing

Creating and signing a new set of certificates solved it.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6