On Friday, 20 May 2011 11:50:05 David Dumortier wrote: > Hi everybody, > > I try to setup a slapd with TLS.
Do you mean START_TLS on ldap://, or ldaps:// ? I don't think you can test START_TLS on ldap:// with gnutls-cli-debug. > ldd /usr/sbin/slapd returns gnutls.so as waited. > > I generated a self-signed certificate with these options : > certtool --generate-privkey --outfile /etc/ldap/ssl/mykey.key > certtool --generate-request --load-privkey /etc/ldap/ssl/mykey.key > --outfile /etc/ldap/ssl/mycsr.csr > > Basic Constraints (critical): > Certificate Authority (CA): TRUE > Key Purpose (not critical): > TLS WWW Client. > TLS WWW Server. > Code signing. > OCSP signing. > Time stamping. > Key Usage (critical): > Digital signature. > Key encipherment. > Certificate signing. > CRL signing. > > My slapd start With what command-line arguments/options (specifically, what values provided to -h option)? > but when I try a debug I have : > # gnutls-cli-debug -p 636 myip > Checking for TLS 1.1 support... no > Checking fallback from TLS 1.1 to... failed > Checking for TLS 1.0 support... no > Checking for SSL 3.0 support... no > > Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 Before doing this, did you verify that slapd is actually listening for ldaps on port 636? I suspect you are running ldap:// on port 636. > Here is my slapd conf : > olcTLSVerifyClient: demand > olcTLSCertificateFile: /etc/ldap/ssl/mycsr.csr > olcTLSCertificateKeyFile: /etc/ldap/ssl/mykey.key Regards, Buchan
