Bug#381788: [Pkg-openldap-devel] Re: Bug#381788: slapd: TLS
connections fail when running as non-root
Quanah Gibson-Mount
quanah at stanford.edu
Wed Aug 9 03:00:58 UTC 2006
--On Tuesday, August 08, 2006 8:23 PM -0600 "Berg, Michael"
<michaeljberg at gmail.com> wrote:
> I spent some more time debugging, and here is some additional info.
>
> I ran slapd with debugging again ('-d 7' to match the previous ldapsearch
> debug output), and this time I spotted something that I must have missed
> before.
>
> In the interest of space, I removed the pages-upon-pages of output
> generated from parsing the schema files. The first line in the attached
> debug output is when slapd is opening the Certificate Authority's public
> cert. I've also inserted some blank lines and comments (started with a #
> character) into the debug output to show relevant events.
>
> Toward the end, there are error messages about:
> "TLS trace: SSL_accept:error in SSLv3 read client certificate A"
> and
> "TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> return a certificate s3_srvr.c:2455"
>
> This supports the web searches that tied ldapsearch's error of
> "error:14094410:SSL" to client certificates. But as previously stated, I
> have "TLSVerifyClient never" specified in my slapd.conf (maybe it's not
> being respected when running as non-root though).
>
> Anyway, I hope this helps in tracking down the problem. As always, if
> there is any additional info I can provide that would help, just let me
> know.
This error is coming straight from the OpenSSL libraries. Have you tried
connecting with openssl s_client?
<http://www.openldap.org/lists/openldap-software/200409/msg00242.html>
This link also notes someone hitting this issue in the past.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
More information about the Pkg-openldap-devel
mailing list