Not that it should matter, but did you generate your server certificate with openssl or certtool?
On Fri, Jul 24, 2009 at 10:11 AM, Nicolas Jungers <[email protected]>wrote: > Mathias Gug a écrit : > > Hi Nicolas, > > > > On Fri, Jul 24, 2009 at 11:16 AM, Nicolas Jungers<[email protected]> > wrote: > >> Package: slapd > >> Version: 2.4.11-1 > >> > >> > >> #-------- bits from slapd.conf > >> > >> # TLS configuration > >> # CA > >> TLSCACertificateFile /etc/ssl/certs/cacert.org.pem > >> # Cert > >> TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem > >> TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem > >> #TLSCipherSuite HIGH <-- not with gnutls (openssl keyword) > > > > Could you try to add the CA Certificate > > (/etc/ssl/certs/cacert.org.pem) to the TLSCertificateFile? > > cat cacert.org.pem main.jungers.net.pem > ldap.jungers.net.pem > > # TLS configuration > # CA > #TLSCACertificateFile /etc/ssl/certs/cacert.org.pem > # Cert > #TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem > TLSCertificateFile /etc/ssl/certs/ldap.jungers.net.pem > TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem > #TLSCipherSuite HIGH <-- not with gnutls (openssl keyword) > > > /etc/init.d/slapd restart > Stopping OpenLDAP: slapd. > Starting OpenLDAP: slapd - failed. > The operation failed but no output was produced. For hints on what went > wrong please refer to the system's logfiles (e.g. /var/log/syslog) or > try running the daemon in Debug mode like via "slapd -d 16383" (warning: > this will create copious output). > > Below, you can find the command line options used by this script to > run slapd. Do not forget to specify those options if you > want to look to debugging output: > slapd -h 'ldap:/// ldaps:///' -g openldap -u openldap -f > /etc/ldap/slapd.conf > 5595 pts/12 S+ 0:00 grep slapd > > and > > main slapd[5591]: main: TLS init def ctx failed: -60 > > > > > >> > >> > >> #-------- if I try gnutls-cli I get > >> > >> gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 389 > >> main.jungers.netProcessed 2 CA certificate(s). > >> Resolving 'main.jungers.net'... > >> Connecting to '91.121.14.130:389'... > >> *** Fatal error: A TLS packet with unexpected length was received. > >> *** Handshake has failed > >> GNUTLS ERROR: A TLS packet with unexpected length was received. > > > > You should use the --starttls option to test against port 389 as this > > port expects to start a plain connection (which is then upgraded to an > > encrypted connection with startTLS). > > ok, but it's still fails > > gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem --starttls -p 389 > main.jungers.net > Processed 2 CA certificate(s). > Resolving 'main.jungers.net'... > Connecting to '91.121.14.130:389'... > > - Simple Client Mode: > > > *** Starting TLS handshake > *** Fatal error: A TLS packet with unexpected length was received. > *** Handshake has failed > > > > _______________________________________________ > Pkg-openldap-devel mailing list > [email protected] > http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel >
