Read ITS#5341. It has the fix. --Quanah
--On February 6, 2008 5:44:26 PM +0000 [EMAIL PROTECTED] wrote: > Full_Name: GG > Version: 2.4.7 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (194.2.41.131) > > > I was investigated a problem: I couldn't ldapsearch to my ldap directory > in TLS: > ldapsearch -Z -H ldap://127.0.0.1 -x uid=gab returns: > > ldap_start_tls: Connect error (-11) > ldap_result: Can't contact LDAP server (-1) > > It is an openldap 2.4.7 on Debian (Etch). It is built against gnutls. And > as it was working with openldap 2.3.30, and it works with openldap 2.4.7 > built on Crux (self-made package, built against openssl), I tried to > compile it on my gentoo ('cause it has the .h of everything, and much > more CPU :) ), from sources. > > When built with --with-tls=openssl, the ldapsearch above is ok. > When built with --with-tls=gnutls, it fails: > > I modify slapd.conf accordingly to match the syntax of tlsciphersuite with > gnutls or openssl > > Debugs > slapd: > [ ... ] > TLS: gnutls_certificate_verify_peers2 failed -49 > connection_read(12): TLS accept failure error=-1 id=1, closing > connection_closing: readying conn=1 sd=12 for close > daemon: activity on 1 descriptor > daemon: activity on: > daemon: epoll: listen=7 active_threads=0 tvp=NULL > connection_close: conn=1 sd=12 > daemon: removing 12 > tls_write: want=181, written=181 > 0000: 15 03 01 00 b0 0f 12 bd 11 3a 31 7b 10 f9 c3 f7 > .........:1{.... 0010: 87 dd 18 94 3d 19 52 5b 9a 30 8a 9c f6 a0 ac > c7 ....=.R[.0...... 0020: 2f 7d 10 6a 21 55 aa b3 25 72 50 a1 c6 2e > 16 e8 /}.j!U..%rP..... 0030: 50 89 bc 65 d0 2a 5e 61 b5 44 8a e9 b0 > 01 cb 9f P..e.*^a.D...... 0040: e4 85 81 9e 33 16 57 8b a8 32 ce 14 > 2f 5a 38 0e ....3.W..2../Z8. 0050: 12 f0 85 75 77 df 1b 57 56 c1 fb > ae 2a cc 72 29 ...uw..WV...*.r) 0060: c7 38 eb d3 3c 3b d4 8e ba 29 > e6 8d 09 15 70 5f .8..<;...)....p_ 0070: 79 07 3e 8e 5a 9e c1 82 9f > 39 73 ac b0 22 a4 31 y.>.Z....9s..".1 0080: d2 43 3a 09 b5 3d 07 b6 > e7 17 14 5e 65 d5 ed 2d .C:..=.....^e..- 0090: 71 09 c2 ea b9 c8 6a > 35 2c b7 18 4b 33 7e 72 52 q.....j5,..K3~rR 00a0: bb b9 f4 bc 0a 23 > 4b f0 be dc 64 ef 3f bd a6 3a .....#K...d.?..: 00b0: 71 8e 07 64 90 > q..d. tls_read: want=5 error=Ressource temporairement non disponible > conn=1 fd=12 closed (TLS negotiation failure) > > ldapsearch: > [ ... ] > ldap_chkResponseList ld 0x8057dd8 msgid 2 all 1 > ldap_chkResponseList returns ld 0x8057dd8 NULL > ldap_int_select > read1msg: ld 0x8057dd8 msgid 2 all 1 > ber_get_next > tls_read: want=5, got=5 > 0000: 15 03 01 00 b0 ..... > tls_read: want=176, got=176 > 0000: 0f 12 bd 11 3a 31 7b 10 f9 c3 f7 87 dd 18 94 3d > ....:1{........= 0010: 19 52 5b 9a 30 8a 9c f6 a0 ac c7 2f 7d 10 6a > 21 .R[.0....../}.j! 0020: 55 aa b3 25 72 50 a1 c6 2e 16 e8 50 89 bc > 65 d0 U..%rP.....P..e. 0030: 2a 5e 61 b5 44 8a e9 b0 01 cb 9f e4 85 > 81 9e 33 *^a.D..........3 0040: 16 57 8b a8 32 ce 14 2f 5a 38 0e 12 > f0 85 75 77 .W..2../Z8....uw 0050: df 1b 57 56 c1 fb ae 2a cc 72 29 > c7 38 eb d3 3c ..WV...*.r).8..< 0060: 3b d4 8e ba 29 e6 8d 09 15 70 > 5f 79 07 3e 8e 5a ;...)....p_y.>.Z 0070: 9e c1 82 9f 39 73 ac b0 22 > a4 31 d2 43 3a 09 b5 ....9s..".1.C:.. 0080: 3d 07 b6 e7 17 14 5e 65 > d5 ed 2d 71 09 c2 ea b9 =.....^e..-q.... 0090: c8 6a 35 2c b7 18 4b > 33 7e 72 52 bb b9 f4 bc 0a .j5,..K3~rR..... 00a0: 23 4b f0 be dc 64 > ef 3f bd a6 3a 71 8e 07 64 90 #K...d.?..:q..d. TLS trace: SSL3 alert > read:warning:close notify > ldap_read: want=8, got=0 > > ber_get_next failed. > ldap_perror > ldap_result: Can't contact LDAP server (-1) > > Versions: > gnutls: 2.0.4 > openssl: 0.9.8g > > -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
