[Date Prev][Date Next]
Re: Slapd, GNUTLS on Debian/Squeeze
On Friday, 20 May 2011 11:50:05 David Dumortier wrote:
> Hi everybody,
> I try to setup a slapd with TLS.
Do you mean START_TLS on ldap://, or ldaps:// ? I don't think you can test
START_TLS on ldap:// with gnutls-cli-debug.
> ldd /usr/sbin/slapd returns gnutls.so as waited.
> I generated a self-signed certificate with these options :
> certtool --generate-privkey --outfile /etc/ldap/ssl/mykey.key
> certtool --generate-request --load-privkey /etc/ldap/ssl/mykey.key
> --outfile /etc/ldap/ssl/mycsr.csr
> Basic Constraints (critical):
> Certificate Authority (CA): TRUE
> Key Purpose (not critical):
> TLS WWW Client.
> TLS WWW Server.
> Code signing.
> OCSP signing.
> Time stamping.
> Key Usage (critical):
> Digital signature.
> Key encipherment.
> Certificate signing.
> CRL signing.
> My slapd start
With what command-line arguments/options (specifically, what values provided
to -h option)?
> but when I try a debug I have :
> # gnutls-cli-debug -p 636 myip
> Checking for TLS 1.1 support... no
> Checking fallback from TLS 1.1 to... failed
> Checking for TLS 1.0 support... no
> Checking for SSL 3.0 support... no
> Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
Before doing this, did you verify that slapd is actually listening for ldaps
on port 636?
I suspect you are running ldap:// on port 636.
> Here is my slapd conf :
> olcTLSVerifyClient: demand
> olcTLSCertificateFile: /etc/ldap/ssl/mycsr.csr
> olcTLSCertificateKeyFile: /etc/ldap/ssl/mykey.key