The one that works fine was my openxchange server, that loads contacts
from openldap.
In my opinion I don't have installed a security framework list SELinux
or AppArmor.
The output of namei -l /etc/ssl/certs/LetsEncrypt.pem
f: /etc/ssl/certs/LetsEncrypt.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root ssl
drwxr-xr-x root root certs
lrwxrwxrwx root root LetsEncrypt.pem ->
/etc/ssl/own/LetsEncrypt.crt
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root ssl
drwxr-x--- root ssl-cert own
-rw-r----- root ssl-cert LetsEncrypt.crt
Tobias
Am 2017-03-20 21:49, schrieb Aki Tuomi:
Did you do some succesful lookup with something there? I can see few
failed attempts and one that seems to have worked just fine.
As pointed out earlier, are you using security frameworks like
SELinux or AppArmor? Also, can you provide namei -l
/etc/ssl/certs/LetsEncrypt.pem
The failed attempts are really short, indicating a VERY early problem
with SSL handshake.
Aki
On March 20, 2017 at 9:24 PM [email protected] wrote:
I have a new pcap from beginning to the end with openldap "TLS
negoiation failed"
https://gwarband.de/openldap/tracefile.dump
The sourceports are 45376 and 45377
Tobias
Am 2017-03-20 19:59, schrieb Aki Tuomi:
Well, those actually *reduce* the possible algorithms that can be
used, so uncommenting those can make things worse.
Anyways, your pcap seems incomplete, can you try again?
Aki
On March 20, 2017 at 8:14 PM [email protected] wrote:
I have also tested with 2.2.28 and this version has the same issue.
The finding of compatible ciphers is not the problem because I have
uncommented the ldap entrys:
TLSCipherSuite
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
TLSProtocolMin 3.1
Maybe you have further ideas.
Am 2017-03-20 17:42, schrieb Aki Tuomi:
On March 20, 2017 at 5:28 PM [email protected] wrote:
Can sombody say something about this request?
This is an email from the openldap-technical mailinglist from
openldap.
Systemdetails are mention in the other email.
-------- Originalnachricht --------
Betreff: Re: Dovecot can't connect to openldap over starttls
Datum: 2017-03-20 16:18
Absender: Dan White <[email protected]>
Empfänger: [email protected]
Kopie: [email protected]
On 03/20/17 16:06 +0100, [email protected] wrote:
Debug Dovecot's implementation of ldap_start_tls_s().
I don't have any idea how to set a higher debug level to
dovecot.
In
my opinion I have the highest. So I can't deliver a greater log.
I recommend consulting Dovecot's advice on how to run a debugger,
or
dig
into the code which calls libldap.
Hi!
I just ran a quick test, and following things are needed:
uris = ldap://ldap.host.com
tls = yes
tls_ca_cert_file = /path/to/cert-bundle.crt
this has been tested with 2.2.28, and works just fine. Not sure
why
you are having issues.
Of course this could be anything between not finding compatible
ciphers to the LDAP server actually expecting client certificate,
what
with the logs not actually being too verbose unfortunately. There
isn't too much to "debug" in Dovecot's TLS implementation, it's
not
doing anything fancy asides from calling the ldap_start_tls_s.
I am not sure what debugging you could try further.
Aki
