[Pkg-openldap-devel] Bug#473796: TLS fails completely

debian at x.ray.net debian at x.ray.net
Tue Apr 1 17:39:17 UTC 2008 

Package: slapd
Version: 2.4.7-6.1

lenny amd64
libgnutls26 2.2.2-1

doing a TLS query (-Z or -ZZ) will fail:

ldap_start_tls: Connect error (-11)

gnutls-cli says:

user at host:~$ gnutls-cli-debug host -p 389
Resolving 'host'...
Connecting to '127.0.1.1:389'...
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.0 support... no
Checking for SSL 3.0 support... no

Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
user at host:~$

in slapd.conf:

TLSCertificateFile /etc/ldap/host.crt
TLSCertificateKeyFile /etc/ldap/host.key

are configured. permissions are correct (host.key: 640 root:openldap), 
strace shows that slapd opens and reads both files.

running the above gnutls-cli-debug against:

sudo -u openldap gnutls-serv --x509keyfile /etc/ldap/host.key 
--x509certfile /etc/ldap/host.crt

works (all TLS/SSL supported).

i tried slapd.conf with and without each of:

security       tls=128
TLSVerifyClient never
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1
(plus with TLSCipherSuite listing all supported suites according to 
gnutls-cli -l)

when trying a query with TLS, slapd -d 1 says:

slap_listener_activate(8):
 >>> slap_listener(ldap:///)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
conn=0 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 13
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS: can't accept: A record packet with illegal version was received..
connection_read(13): TLS accept failure error=-1 id=0, closing
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13

i guess if it were a general bug in the slapd package there should be at 
least some amount of hue and cry about it - but there isn't, so it might 
be some sort of special case here, therefore i'd rather refrain from 
labelling this 'severity: important'...

i'd actually consider both any 'worksforme' and 'doesntworkheretoo' 
notes valuable... :)

regards,

	Chris

More information about the Pkg-openldap-devel mailing list