[Pkg-openldap-devel] Bug#473796: TLS fails completely

Steve Langasek vorlon at debian.org
Tue Apr 1 18:12:07 UTC 2008 

On Tue, Apr 01, 2008 at 07:39:17PM +0200, debian at x.ray.net wrote:
> lenny amd64
> libgnutls26 2.2.2-1

> doing a TLS query (-Z or -ZZ) will fail:

> ldap_start_tls: Connect error (-11)

Can you try with some more debugging options?  Unfortunately the default
error codes from ldapsearch are not very descriptive.

> gnutls-cli says:

> user at host:~$ gnutls-cli-debug host -p 389
> Resolving 'host'...
> Connecting to '127.0.1.1:389'...
> Checking for TLS 1.1 support... no
> Checking fallback from TLS 1.1 to... failed
> Checking for TLS 1.0 support... no
> Checking for SSL 3.0 support... no

> Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
> user at host:~$

TLS negotiation is protocol-specific; connecting on the LDAP port with
gnutls-cli is not a meaningful test of TLS support.

> when trying a query with TLS, slapd -d 1 says:

> slap_listener_activate(8):
> >>> slap_listener(ldap:///)
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> ber_get_next
> ber_get_next: tag 0x30 len 29 contents:
> ber_get_next
> conn=0 op=0 do_extended
> ber_scanf fmt ({m) ber:
> send_ldap_extended: err=0 oid= len=0
> send_ldap_response: msgid=1 tag=120 err=0
> ber_flush2: 14 bytes to sd 13
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS: can't accept: A record packet with illegal version was received..
> connection_read(13): TLS accept failure error=-1 id=0, closing
> connection_closing: readying conn=0 sd=13 for close
> connection_close: conn=0 sd=13

That's with what client?  Probably with gnutls-cli?

> i guess if it were a general bug in the slapd package there should be at  
> least some amount of hue and cry about it - but there isn't, so it might  
> be some sort of special case here, therefore i'd rather refrain from  
> labelling this 'severity: important'...

> i'd actually consider both any 'worksforme' and 'doesntworkheretoo'  
> notes valuable... :)

I haven't tested the -6.1 NMU specifically, but "worksforme" on the previous
builds of 2.4.7, and indeed I tested TLS support quite extensively while
getting 2.4.7 into shape for Debian.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-openldap-devel mailing list