Re: Still getting TLS errors with 2.3.11

[Andreas Hasenack <ahasenack@terra.com.br>]

On Mon, Oct 17, 2005 at 09:29:57AM -0400, Aaron Richton wrote:
> > If I run ldapsearch from another machine which has another version of
> > openldap that is not 2.3.11 nor 2.3.10, then it works.
> 
> So this is against your 2.3.11 slapd, 2.3.11 ldapsearch -ZZ fails while
> <2.3.10 connects OK (2.3.11 server held constant)?

Correct.

> Do you have identical ldap.conf and/or .ldaprc on the 2.3.11 machines, and
> of course identical file contents referenced? Also, your logs are from

Using the machine with ldapsearch that works, if I remove "TLS_REQCERT
allow" from ~/.ldaprc or /etc/openldap/ldap.conf, then I get a
self-signed certificate error as expected.

> slapd -d -1 (which is a good debugging step), but you might want to try a
> ldapsearch -d -1 too so we can see the other side of the equation.

The same error code appears at the client side (either -11 with
start_tls or -1 with ldaps).

> The "telnet" seems to me a bad example, I'm pretty sure that will get
> "TLS: can't accept" in all situations. (Unless you know how to perform a
> TLS handshake by hand.)

telnet?
I used:

openssl s_client -connect ldapserver:636

to test ldaps:// connection and SSL was established. Obviously I didn't
do any ldap queries.

I reversed the ITS4072 patch in 2.3.11 (so that the affected files got
back to the 2.3.9 release state) and tls started working again.