I reviewed ITS#4082 and I have that patch applied in tls.c (I'm running 2.3.11 which has it). However, I still get TLS errors when using "ldapsearch -ZZ": connection_get(13) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=0
TLS: can't accept. connection_read(13): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=13 for close connection_close: conn=0 sd=13 daemon: removing 13 conn=0 fd=13 closed (TLS negotiation failure) The client (ldapsearch) displays "ldap_start_tls: Connect error (-11)", ldapsearch -H ldaps:// also doesn't work: connection_get(14) connection_get(14): got connid=1 connection_read(14): checking for input on id=1 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=0 TLS: can't accept. connection_read(14): TLS accept error error=-1 id=1, closing connection_closing: readying conn=1 sd=14 for close connection_close: conn=1 sd=14 daemon: removing 14 conn=1 fd=14 closed (TLS negotiation failure) Here the client displays "ldap_bind: Can't contact LDAP server (-1)" If I connect to the server on port 636 with the s_client command from openssl (which is also not start_tls), it connects: (...) connection_get(14) connection_get(14): got connid=1 connection_read(14): checking for input on id=1 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 92 01 03 01 00 69 00 00 00 20 ......i... tls_read: want=137, got=137 (...) openldap-2.3.6 works with this config regarding start_tls (didn't test ldaps). My tls config in slapd.conf has just these two lines: TLSCertificateFile /etc/ssl/openldap/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem That file has the certificate and the private key in it.
