[Pkg-openldap-devel] Bug#823232: Bug#823232: libldap-2.4-2: Cannot connect to LDAP server with invalid (self-signed or non-standard CA signed) certificate

[Ryan Tandy]

On Mon, May 02, 2016 at 05:44:58PM +0300, Aki Tuomi wrote:
>2. Try connect with openldap -Z -H ldap://server ...
>
>Expected behaviour
>Invalid cert ignored, and TLS continues

I failed to read this closely enough the first time.

This is actually not the intended behaviour, though: the meaning of the 
-Z option is to attempt TLS, but continue without it (cleartext) if the 
startTLS operation fails. Therefore using TLS_REQCERT allow and -ZZ is a 
better solution.

>Actual behaviour
>Failure with non-descriptive error, debug shows
>ldap_start_tls: Connect error (-11)

... but this is not the expected behaviour, either way!

There's something odd going on after the certificate is rejected - may 
be a bug in the GnuTLS support, or in the core TLS implementation - it 
looks like the client sends a plain Bind request while the the server is 
still expecting a TLS handshake, possibly. But I'd rather discourage the 
use of this fallback to cleartext anyway, so I'm not going to look 
further into that right now. And an OpenSSL-linked slapd closes the 
connection outright after the TLS negotiation fails, which seems like 
the more prudent thing to do.