[Pkg-openldap-devel] Bug#502547: Bug#502547: libldap-2.4-2: client libldap doesn't send TLS certificate

Quanah Gibson-Mount quanah at zimbra.com
Fri Oct 17 17:38:11 UTC 2008 

--On Friday, October 17, 2008 7:30 PM +0200 bugs at shiva.hostoffice.hu wrote:

> Quanah Gibson-Mount wrote:
>> --On Friday, October 17, 2008 6:21 PM +0200 Mayer Gabor
>> <bugs at shiva.hostoffice.hu> wrote:
>>
>>> Package: libldap-2.4-2
>>> Version: 2.4.11-1
>>> Severity: normal
>>>
>>> server slapd.conf:
>>> TLSCACertificateFile /etc/ldap/server.crt
>>> TLSCertificateFile /etc/ldap/server.crt
>>> TLSCertificateKeyFile /etc/ldap/server.key
>>> TLSVerifyClient true
>>>
>>> client ldap.conf:
>>> BASE dc=example,dc=org
>>> URI ldaps://ldap.example.org
>>> TLS_CACERT /etc/ldap/server.crt
>>> TLS_CERT /etc/ldap/server.crt
>>> TLS_KEY /etc/ldap/server.key
>>>
>>> client log:
>>> ldapsearch -d 255 -x
>>> TLS: can't connect: A TLS fatal alert has been received..
>>> ldap_err2string
>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>
>>> server log:
>>> TLS trace: SSL3 alert write:fatal:handshake failure
>>> TLS trace: SSL_accept:error in SSLv3 read client certificate B
>>> TLS: can't accept.
>>> TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
>>> not
>>> return a certificate s3_srvr.c:2455

> The client got the server's certificate well, but the client doesn't send
> his own certificate to the server. SSL3_GET_CLIENT_CERTIFICATE:peer did
> not return a certificate s3_srvr.c:2455

You're client log and server log snippets don't make sense.  The client 
says it couldn't contact any LDAP server (-1).  Are you sure you're looking 
at the same connection data?

Also, what specifically are you trying to accomplish?  A SASL/EXTERNAL 
bind?  That can't be done with the "-x" option.  If you're only trying to 
set up SSL/TLS between the client & server, get rid of the TLS_CERT and 
TLS_KEY parameters (those are user only, for SASL/EXTERNAL binds), and make 
sure that the TLS_CACERT is pointing to the CA for the LDAP server.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

More information about the Pkg-openldap-devel mailing list