[email protected] wrote: > ldapsearch doesn't seem to have any issues. I went from master to consumer, > consumer to master, and consumer to consumer. Returns data. Here's the TLS > lines from debugging:
Now run slapd with -d-1 and look at the corresponding output. Are you sure you set the new CA in the consumer's TLS config? > > TLS trace: SSL_connect:before SSL initialization > TLS trace: SSL_connect:SSLv3/TLS write client hello > TLS trace: SSL_connect:SSLv3/TLS write client hello > TLS trace: SSL_connect:SSLv3/TLS read server hello > TLS trace: SSL_connect:TLSv1.3 read encrypted extensions > TLS trace: SSL_connect:SSLv3/TLS read server certificate request > TLS certificate verification: depth: 3, err: 0, subject: /C=US/ST=New > Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification > Authority, issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST > Network/CN=USERTrust RSA Certification Authority > TLS certificate verification: depth: 2, err: 0, subject: /C=GB/O=Sectigo > Limited/CN=Sectigo Public Server Authentication Root R46, issuer: > /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA > Certification Authority > TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=InCommon, > LLC/CN=InCommon RSA OV SSL CA 3, issuer: /C=GB/O=Sectigo Limited/CN=Sectigo > Public Server Authentication Root R46 > TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=New > Jersey/O=Rutgers, The State University of New > Jersey/CN=idm-ldap-abusec101-prod-asb.ei.rutgers.edu, issuer: > /C=US/O=InCommon, LLC/CN=InCommon RSA OV SSL CA 3 > TLS trace: SSL_connect:SSLv3/TLS read server certificate > TLS trace: SSL_connect:TLSv1.3 read server certificate verify > TLS trace: SSL_connect:SSLv3/TLS read finished > TLS trace: SSL_connect:SSLv3/TLS write change cipher spec > TLS trace: SSL_connect:SSLv3/TLS write client certificate > TLS trace: SSL_connect:SSLv3/TLS write finished > TLS trace: SSL_connect:SSL negotiation finished successfully > TLS trace: SSL_connect:SSL negotiation finished successfully > TLS trace: SSL_connect:SSLv3/TLS read server session ticket > TLS trace: SSL_connect:SSL negotiation finished successfully > TLS trace: SSL_connect:SSL negotiation finished successfully > TLS trace: SSL_connect:SSLv3/TLS read server session ticket > TLS trace: SSL3 alert write:warning:close notify > > Nothing odd in the rest of the output. The only thing that is failing is > replication. > > Also, tls_reqcert settings are similar, either demand or try in both > slapd.conf and ldap.conf. > > -ds > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
