[Pkg-openldap-devel] Bug#538278: Bug#538278: ldaps doesn't work with tls

Nicolas Jungers deblbug at jungers.net
Fri Jul 24 16:11:03 UTC 2009


Mathias Gug a écrit :
> Hi Nicolas,
> 
> On Fri, Jul 24, 2009 at 11:16 AM, Nicolas Jungers<deblbug at jungers.net> wrote:
>> Package: slapd
>> Version: 2.4.11-1
>>
>>
>> #-------- bits from slapd.conf
>>
>> # TLS configuration
>> # CA
>> TLSCACertificateFile /etc/ssl/certs/cacert.org.pem
>> # Cert
>> TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem
>> TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem
>> #TLSCipherSuite HIGH  <-- not with gnutls (openssl keyword)
> 
> Could you try to add the CA Certificate
> (/etc/ssl/certs/cacert.org.pem) to the TLSCertificateFile?

cat cacert.org.pem main.jungers.net.pem > ldap.jungers.net.pem

# TLS configuration
# CA
#TLSCACertificateFile /etc/ssl/certs/cacert.org.pem
# Cert
#TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem
TLSCertificateFile /etc/ssl/certs/ldap.jungers.net.pem
TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem
#TLSCipherSuite HIGH  <-- not with gnutls (openssl keyword)


/etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).

Below, you can find the command line options used by this script to
run slapd. Do not forget to specify those options if you
want to look to debugging output:
  slapd -h 'ldap:/// ldaps:///' -g openldap -u openldap -f
/etc/ldap/slapd.conf
 5595 pts/12   S+     0:00 grep slapd

and

main slapd[5591]: main: TLS init def ctx failed: -60


> 
>>
>>
>> #-------- if I try gnutls-cli I get
>>
>> gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 389
>> main.jungers.netProcessed 2 CA certificate(s).
>> Resolving 'main.jungers.net'...
>> Connecting to '91.121.14.130:389'...
>> *** Fatal error: A TLS packet with unexpected length was received.
>> *** Handshake has failed
>> GNUTLS ERROR: A TLS packet with unexpected length was received.
> 
> You should use the --starttls option to test against port 389 as this
> port expects to start a plain connection (which is then upgraded to an
> encrypted connection with startTLS).

ok, but it's still fails

gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem --starttls -p 389
main.jungers.net
Processed 2 CA certificate(s).
Resolving 'main.jungers.net'...
Connecting to '91.121.14.130:389'...

- Simple Client Mode:


*** Starting TLS handshake
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed





More information about the Pkg-openldap-devel mailing list