[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Still getting TLS errors with 2.3.11
I reviewed ITS#4082 and I have that patch applied in tls.c (I'm running 2.3.11
which has it). However, I still get TLS errors when using "ldapsearch -ZZ":
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=0
TLS: can't accept.
connection_read(13): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13
daemon: removing 13
conn=0 fd=13 closed (TLS negotiation failure)
The client (ldapsearch) displays "ldap_start_tls: Connect error (-11)",
ldapsearch -H ldaps:// also doesn't work:
connection_get(14)
connection_get(14): got connid=1
connection_read(14): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=0
TLS: can't accept.
connection_read(14): TLS accept error error=-1 id=1, closing
connection_closing: readying conn=1 sd=14 for close
connection_close: conn=1 sd=14
daemon: removing 14
conn=1 fd=14 closed (TLS negotiation failure)
Here the client displays "ldap_bind: Can't contact LDAP server (-1)"
If I connect to the server on port 636 with the s_client command from openssl
(which is also not start_tls), it connects:
(...)
connection_get(14)
connection_get(14): got connid=1
connection_read(14): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 92 01 03 01 00 69 00 00 00 20 ......i...
tls_read: want=137, got=137
(...)
openldap-2.3.6 works with this config regarding start_tls (didn't test ldaps).
My tls config in slapd.conf has just these two lines:
TLSCertificateFile /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
That file has the certificate and the private key in it.