Bug#277767: [Pkg-shadow-devel] Bug#277767: Progress on this bug report?

Greg Matthews gmatt at nerc.ac.uk
Tue Mar 28 14:20:31 UTC 2006

On Mon, 2006-03-27 at 23:30 +0300, Alexander Gattin wrote:
> Today I have finally managed to make openldap (slapd)
> work with TLS/SSL. Initially I tried DSA certs, and
> this always resulted in SSL handshake failure (no
> shared cipher), despite all my efforts, including
> different clients (pam_ldap, ldapsearch, openssl
> s_client) and attempt to trace root cause of the issue
> (I used slapd -d 65535, s_client's debug, tcpdump,
> then ssldump...).

never had too much problem setting up either start_TLS or ldaps security
altho I've always used RSA I think. Theres a fair amount of info at the
faq-o-matic over at openldap.org (some ppl cant stand faq-o-matic tho),
and plenty of old war stories on the web - might be worth looking at the
itss site over at stanford. otherwise, give me a yell and I'll help if I

> Ultimately, with the same cert/key pair, s_server
> succeeded with s_client (where slapd didn't). Well, for
> this I used ldaps:///, because ldap:///+TLS can't work
> with s_client AFAIU. But anyway this clearly shows
> there's something wrong with slapd, as s_server works
> OK under the same conditions...

might be worth asking on the openldap mailing list and/or submitting a
bug report.

> Then I created RSA cert of almost the same contents
> (RSA had email while DSA hadn't) and bitlength. This
> surprisingly enabled s_client to succeed.
> I suspect bug in slapd's handling of SSL_CTX or
> DH params... I'd love to have more time to check and
> report it. :(
> > > It looks like bug is in libnss-ldap, or libpam-ldap,
> > > not in su, but this has to be proven first.
> Soon I'll be close to this.

getting there... ;)

Greg Matthews           01491 692445
Head of UNIX/Linux, iTSS Wallingford

This message (and any attachments) is for the recipient only. NERC
is subject to the Freedom of Information Act 2000 and the contents
of this email and any reply you make may be disclosed by NERC unless
it is exempt from release under the Act. Any material supplied to
NERC may be stored in an electronic records management system.

More information about the Pkg-shadow-devel mailing list