Hi, Andreas Hasenack <[EMAIL PROTECTED]> writes:
> I reviewed ITS#4082 and I have that patch applied in tls.c (I'm running > 2.3.11 > which has it). However, I still get TLS errors when using "ldapsearch -ZZ": > connection_get(13) > connection_get(13): got connid=0 > connection_read(13): checking for input on id=0 > TLS trace: SSL_accept:before/accept initialization > tls_read: want=11, got=0 > > TLS: can't accept. > connection_read(13): TLS accept error error=-1 id=0, closing > connection_closing: readying conn=0 sd=13 for close > connection_close: conn=0 sd=13 > daemon: removing 13 > conn=0 fd=13 closed (TLS negotiation failure) > > The client (ldapsearch) displays "ldap_start_tls: Connect error (-11)", > > > ldapsearch -H ldaps:// also doesn't work: > connection_get(14) > connection_get(14): got connid=1 > connection_read(14): checking for input on id=1 > TLS trace: SSL_accept:before/accept initialization > tls_read: want=11, got=0 > > TLS: can't accept. > connection_read(14): TLS accept error error=-1 id=1, closing > connection_closing: readying conn=1 sd=14 for close > connection_close: conn=1 sd=14 > daemon: removing 14 > conn=1 fd=14 closed (TLS negotiation failure) > > Here the client displays "ldap_bind: Can't contact LDAP server (-1)" I just experienced the same problem and it took me a few minutes to find the reason, which resulted in TLS trace: SSL3 alert read:fatal:certificate expired TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired s3_pkt.c:1052 connection_read(15): TLS accept error error=-1 id=1, closing Creating and signing a new set of certificates solved it. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6
