Not that it should matter, but did you generate your server certificate with openssl or certtool?<br><br><div class="gmail_quote">On Fri, Jul 24, 2009 at 10:11 AM, Nicolas Jungers <span dir="ltr"><<a href="mailto:deblbug@jungers.net">deblbug@jungers.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Mathias Gug a écrit :<br>
<div class="im">> Hi Nicolas,<br>
><br>
> On Fri, Jul 24, 2009 at 11:16 AM, Nicolas Jungers<<a href="mailto:deblbug@jungers.net">deblbug@jungers.net</a>> wrote:<br>
>> Package: slapd<br>
>> Version: 2.4.11-1<br>
>><br>
>><br>
>> #-------- bits from slapd.conf<br>
>><br>
>> # TLS configuration<br>
>> # CA<br>
>> TLSCACertificateFile /etc/ssl/certs/cacert.org.pem<br>
>> # Cert<br>
>> TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem<br>
>> TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem<br>
>> #TLSCipherSuite HIGH <-- not with gnutls (openssl keyword)<br>
><br>
> Could you try to add the CA Certificate<br>
> (/etc/ssl/certs/cacert.org.pem) to the TLSCertificateFile?<br>
<br>
</div>cat cacert.org.pem main.jungers.net.pem > ldap.jungers.net.pem<br>
<div class="im"><br>
# TLS configuration<br>
# CA<br>
#TLSCACertificateFile /etc/ssl/certs/cacert.org.pem<br>
# Cert<br>
#TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem<br>
</div>TLSCertificateFile /etc/ssl/certs/ldap.jungers.net.pem<br>
<div class="im">TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem<br>
#TLSCipherSuite HIGH <-- not with gnutls (openssl keyword)<br>
<br>
<br>
</div>/etc/init.d/slapd restart<br>
Stopping OpenLDAP: slapd.<br>
Starting OpenLDAP: slapd - failed.<br>
The operation failed but no output was produced. For hints on what went<br>
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or<br>
try running the daemon in Debug mode like via "slapd -d 16383" (warning:<br>
this will create copious output).<br>
<br>
Below, you can find the command line options used by this script to<br>
run slapd. Do not forget to specify those options if you<br>
want to look to debugging output:<br>
<div class="im"> slapd -h 'ldap:/// ldaps:///' -g openldap -u openldap -f<br>
/etc/ldap/slapd.conf<br>
</div> 5595 pts/12 S+ 0:00 grep slapd<br>
<br>
and<br>
<br>
main slapd[5591]: main: TLS init def ctx failed: -60<br>
<div class="im"><br>
<br>
><br>
>><br>
>><br>
>> #-------- if I try gnutls-cli I get<br>
>><br>
>> gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 389<br>
>> main.jungers.netProcessed 2 CA certificate(s).<br>
>> Resolving '<a href="http://main.jungers.net" target="_blank">main.jungers.net</a>'...<br>
>> Connecting to '91.121.14.130:389'...<br>
>> *** Fatal error: A TLS packet with unexpected length was received.<br>
>> *** Handshake has failed<br>
>> GNUTLS ERROR: A TLS packet with unexpected length was received.<br>
><br>
> You should use the --starttls option to test against port 389 as this<br>
> port expects to start a plain connection (which is then upgraded to an<br>
> encrypted connection with startTLS).<br>
<br>
</div>ok, but it's still fails<br>
<br>
gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem --starttls -p 389<br>
<a href="http://main.jungers.net" target="_blank">main.jungers.net</a><br>
<div class="im">Processed 2 CA certificate(s).<br>
Resolving '<a href="http://main.jungers.net" target="_blank">main.jungers.net</a>'...<br>
Connecting to '91.121.14.130:389'...<br>
<br>
</div>- Simple Client Mode:<br>
<br>
<br>
*** Starting TLS handshake<br>
<div class="im">*** Fatal error: A TLS packet with unexpected length was received.<br>
*** Handshake has failed<br>
<br>
<br>
<br>
</div><div><div class="h5">_______________________________________________<br>
Pkg-openldap-devel mailing list<br>
<a href="mailto:Pkg-openldap-devel@lists.alioth.debian.org">Pkg-openldap-devel@lists.alioth.debian.org</a><br>
<a href="http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel" target="_blank">http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel</a></div></div></blockquote></div><br>