Mathias Gug a écrit : > Hi Nicolas, > > On Fri, Jul 24, 2009 at 11:16 AM, Nicolas Jungers<[email protected]> wrote: >> Package: slapd >> Version: 2.4.11-1 >> >> >> #-------- bits from slapd.conf >> >> # TLS configuration >> # CA >> TLSCACertificateFile /etc/ssl/certs/cacert.org.pem >> # Cert >> TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem >> TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem >> #TLSCipherSuite HIGH <-- not with gnutls (openssl keyword) > > Could you try to add the CA Certificate > (/etc/ssl/certs/cacert.org.pem) to the TLSCertificateFile?
cat cacert.org.pem main.jungers.net.pem > ldap.jungers.net.pem # TLS configuration # CA #TLSCACertificateFile /etc/ssl/certs/cacert.org.pem # Cert #TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem TLSCertificateFile /etc/ssl/certs/ldap.jungers.net.pem TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem #TLSCipherSuite HIGH <-- not with gnutls (openssl keyword) /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output). Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd -h 'ldap:/// ldaps:///' -g openldap -u openldap -f /etc/ldap/slapd.conf 5595 pts/12 S+ 0:00 grep slapd and main slapd[5591]: main: TLS init def ctx failed: -60 > >> >> >> #-------- if I try gnutls-cli I get >> >> gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 389 >> main.jungers.netProcessed 2 CA certificate(s). >> Resolving 'main.jungers.net'... >> Connecting to '91.121.14.130:389'... >> *** Fatal error: A TLS packet with unexpected length was received. >> *** Handshake has failed >> GNUTLS ERROR: A TLS packet with unexpected length was received. > > You should use the --starttls option to test against port 389 as this > port expects to start a plain connection (which is then upgraded to an > encrypted connection with startTLS). ok, but it's still fails gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem --starttls -p 389 main.jungers.net Processed 2 CA certificate(s). Resolving 'main.jungers.net'... Connecting to '91.121.14.130:389'... - Simple Client Mode: *** Starting TLS handshake *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
