It looks like my problem was that with LDAP-UX you can only use TLS over an
unencrypted port. If you try to use it over 636 it fails. I guess this is
normal. Thanks for the help.
On Wed, May 28, 2008 at 1:01 PM, Philip Guenther <
[EMAIL PROTECTED] <[EMAIL PROTECTED]>> wrote:
> On Wed, 28 May 2008, Michael Ströder wrote:
>
>> Adam Leach wrote:
>>
>>> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
>>> TLS: can't accept.
>>> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
>>> s23_srvr.c:580
>>>
>>
>> Looks like your client trys to negotiate the SSLv23 protocol variant and
>> your server does not accept this. You might have a look at the client's
>> configuration to enforce SSLv3 or TLSv1. You should avoid using SSLv2 for
>> security reasons anyway.
>>
>
> "SSLv23" is OpenSSL's name for the version negotiation code, handling the
> choice between SSLv2, SSLv3, and TLSv1. Support for specific versions can
> be disabled using the SSL_{,CTX_}set_options() functions...which OpenLDAP
> doesn't call. With that ruled out, it looks from the OpenSSL code that the
> "unknown protocol" error would only be generated when the client sent
> something that didn't look like either the SSLv2 format or the SSLv3/TLS
> format, such as if it sent normal LDAP on the ldaps port.
>
>
> Philip Guenther
>
--
Adam Leach
BS Computer/Electrical Engineering
West Virginia University
System Administrator - Raytheon
(304)677-4455
