Bug#277767: [Pkg-shadow-devel] Bug#277767: Progress on this bug
report?
Alexander Gattin
xrgtn at yandex.ru
Mon Mar 27 20:30:23 UTC 2006
Hi!
On Mon, Mar 06, 2006 at 09:55:23AM +0000, Greg Matthews wrote:
> yes, you can have a number of different CA certs depending on what you
> are connecting to. Dropping them into a directory means the ldap tools
> will be able to use them (after the symbolic links have been set up).
Today I have finally managed to make openldap (slapd)
work with TLS/SSL. Initially I tried DSA certs, and
this always resulted in SSL handshake failure (no
shared cipher), despite all my efforts, including
different clients (pam_ldap, ldapsearch, openssl
s_client) and attempt to trace root cause of the issue
(I used slapd -d 65535, s_client's debug, tcpdump,
then ssldump...).
Ultimately, with the same cert/key pair, s_server
succeeded with s_client (where slapd didn't). Well, for
this I used ldaps:///, because ldap:///+TLS can't work
with s_client AFAIU. But anyway this clearly shows
there's something wrong with slapd, as s_server works
OK under the same conditions...
Then I created RSA cert of almost the same contents
(RSA had email while DSA hadn't) and bitlength. This
surprisingly enabled s_client to succeed.
I suspect bug in slapd's handling of SSL_CTX or
DH params... I'd love to have more time to check and
report it. :(
> > It looks like bug is in libnss-ldap, or libpam-ldap,
> > not in su, but this has to be proven first.
Soon I'll be close to this.
--
WBR,
xrgtn
More information about the Pkg-shadow-devel
mailing list