[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS failures with OS X clients

> hex dumps snipped).  Is there any other debugging I can do to figure
> out why the first connection is rejected by slapd?

I {saw,do see} this.

conn=2906509 fd=65 ACCEPT from IP={OSX}:56362 (IP=
conn=2906509 fd=65 closed (TLS negotiation failure)

The debugging you can do, and I think I actually did start a while back,
is taking packet dumps and then pulling out the source
(www.opensource.apple.com.) I decided that it was nothing short of a
blessing that DSLDAPv3 was working in the first place (it has a long and
disgusting history of retrying passwords, and we use one-time tokens) and
let it go. All the clients do something goofy, and we have to deal with

It'd still be cool to get this fixed. They use libldap, so it's probably
not even that hard. But filing a bug with Apple has been close to a joke
in my experience, and 90%+ of Mac mailing lists are at the point of "You
have to click the Lock icon to change Directory configurations." Thanks.
If somebody can point me to a mailing list with an Apple DirectoryService
committer on it, maybe there's progress to be had on this. Otherwise...the
robustness principle continues to apply.