Package: slapd Version: 2.3.30-4 Severity: important I'm trying to get my clients to authenticate with Certificates. When I set 'TLSVerifyClient try' the connection 'hangs' during the setup phase ot the secure connection. The funny thing is that when running slapd from a terminal with -d-1 makes it all work brilliantly. I first thought this was related with the fact that it will not detach and run as root, but then I found out that the behaviour was dependent on the debug level. Only if I include '2 -- debug packet handling' in the loglevel I can succesfully authenticate with Certificates.
Because the debug output is so different when adding '2', it is hard to compare logfiles. I grepped for 'TLS' to clean it up a bit. It seems already early in the negotiation something goes wrong. Loglevel 1 (fail): TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:error in SSLv3 write certificate request B TLS trace: SSL_accept:error in SSLv3 write certificate request B Loglevel 3 (succes): TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS certificate verification: depth: 1, err: 0, subject: <CN of certificate issuer> TLS certificate verification: depth: 0, err: 0, subject: <CN of certificate holder> TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read certificate verify A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL3 alert read:warning:close notify TLS trace: SSL3 alert write:warning:close notify -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.13.1 Locale: LANG=nl_NL, LC_CTYPE=nl_NL (charmap=UTF-8) (ignored: LC_ALL set to nl_NL.utf8) Versions of packages slapd depends on: ii adduser 3.102 Add and remove users and groups ii coreutils 5.97-5 The GNU core utilities ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy ii libc6 2.3.6.ds1-11 GNU C Library: Shared libraries ii libdb4.2 4.2.52+dfsg-1 Berkeley v4.2 Database Libraries [ ii libiodbc2 3.52.4-3 iODBC Driver Manager ii libldap-2.3-0 2.3.30-4 OpenLDAP libraries ii libltdl3 1.5.22-4 A system independent dlopen wrappe ii libperl5.8 5.8.8-7 Shared Perl library ii libsasl2-2 2.1.22.dfsg1-8 Authentication abstraction library ii libslp1 1.2.1-6 OpenSLP libraries ii libssl0.9.8 0.9.8c-4 SSL shared libraries ii libwrap0 7.6.dbs-12 Wietse Venema's TCP wrappers libra ii perl [libmime-base64-perl 5.8.8-7 Larry Wall's Practical Extraction ii psmisc 22.3-1 Utilities that use the proc filesy Versions of packages slapd recommends: pn libsasl2-modules <none> (no description available) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]