[Pkg-openldap-devel] Bug#538278: Bug#538278: Bug#538278: ldaps doesn't work with tls

Matt Kassawara battery at writeme.com
Fri Jul 24 16:47:34 UTC 2009 

Not that it should matter, but did you generate your server certificate with
openssl or certtool?

On Fri, Jul 24, 2009 at 10:11 AM, Nicolas Jungers <deblbug at jungers.net>wrote:

> Mathias Gug a écrit :
> > Hi Nicolas,
> >
> > On Fri, Jul 24, 2009 at 11:16 AM, Nicolas Jungers<deblbug at jungers.net>
> wrote:
> >> Package: slapd
> >> Version: 2.4.11-1
> >>
> >>
> >> #-------- bits from slapd.conf
> >>
> >> # TLS configuration
> >> # CA
> >> TLSCACertificateFile /etc/ssl/certs/cacert.org.pem
> >> # Cert
> >> TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem
> >> TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem
> >> #TLSCipherSuite HIGH  <-- not with gnutls (openssl keyword)
> >
> > Could you try to add the CA Certificate
> > (/etc/ssl/certs/cacert.org.pem) to the TLSCertificateFile?
>
> cat cacert.org.pem main.jungers.net.pem > ldap.jungers.net.pem
>
> # TLS configuration
> # CA
> #TLSCACertificateFile /etc/ssl/certs/cacert.org.pem
> # Cert
> #TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem
> TLSCertificateFile /etc/ssl/certs/ldap.jungers.net.pem
> TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem
> #TLSCipherSuite HIGH  <-- not with gnutls (openssl keyword)
>
>
> /etc/init.d/slapd restart
> Stopping OpenLDAP: slapd.
> Starting OpenLDAP: slapd - failed.
> The operation failed but no output was produced. For hints on what went
> wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
> try running the daemon in Debug mode like via "slapd -d 16383" (warning:
> this will create copious output).
>
> Below, you can find the command line options used by this script to
> run slapd. Do not forget to specify those options if you
> want to look to debugging output:
>   slapd -h 'ldap:/// ldaps:///' -g openldap -u openldap -f
> /etc/ldap/slapd.conf
>  5595 pts/12   S+     0:00 grep slapd
>
> and
>
> main slapd[5591]: main: TLS init def ctx failed: -60
>
>
> >
> >>
> >>
> >> #-------- if I try gnutls-cli I get
> >>
> >> gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 389
> >> main.jungers.netProcessed 2 CA certificate(s).
> >> Resolving 'main.jungers.net'...
> >> Connecting to '91.121.14.130:389'...
> >> *** Fatal error: A TLS packet with unexpected length was received.
> >> *** Handshake has failed
> >> GNUTLS ERROR: A TLS packet with unexpected length was received.
> >
> > You should use the --starttls option to test against port 389 as this
> > port expects to start a plain connection (which is then upgraded to an
> > encrypted connection with startTLS).
>
> ok, but it's still fails
>
> gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem --starttls -p 389
> main.jungers.net
> Processed 2 CA certificate(s).
> Resolving 'main.jungers.net'...
> Connecting to '91.121.14.130:389'...
>
> - Simple Client Mode:
>
>
> *** Starting TLS handshake
> *** Fatal error: A TLS packet with unexpected length was received.
> *** Handshake has failed
>
>
>
> _______________________________________________
> Pkg-openldap-devel mailing list
> Pkg-openldap-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20090724/29ffb86b/attachment.htm>

More information about the Pkg-openldap-devel mailing list