Bug#277767: [Pkg-shadow-devel] Bug#277767: Progress on this bug report?

Alexander Gattin xrgtn at yandex.ru
Mon Mar 27 20:30:23 UTC 2006


On Mon, Mar 06, 2006 at 09:55:23AM +0000, Greg Matthews wrote:
> yes, you can have a number of different CA certs depending on what you
> are connecting to. Dropping them into a directory means the ldap tools
> will be able to use them (after the symbolic links have been set up).

Today I have finally managed to make openldap (slapd)
work with TLS/SSL. Initially I tried DSA certs, and
this always resulted in SSL handshake failure (no
shared cipher), despite all my efforts, including
different clients (pam_ldap, ldapsearch, openssl
s_client) and attempt to trace root cause of the issue
(I used slapd -d 65535, s_client's debug, tcpdump,
then ssldump...).

Ultimately, with the same cert/key pair, s_server
succeeded with s_client (where slapd didn't). Well, for
this I used ldaps:///, because ldap:///+TLS can't work
with s_client AFAIU. But anyway this clearly shows
there's something wrong with slapd, as s_server works
OK under the same conditions...

Then I created RSA cert of almost the same contents
(RSA had email while DSA hadn't) and bitlength. This
surprisingly enabled s_client to succeed.

I suspect bug in slapd's handling of SSL_CTX or
DH params... I'd love to have more time to check and
report it. :(

> > It looks like bug is in libnss-ldap, or libpam-ldap,
> > not in su, but this has to be proven first.

Soon I'll be close to this.


More information about the Pkg-shadow-devel mailing list