[email protected] wrote:
> ldapsearch doesn't seem to have any issues.  I went from master to consumer, 
> consumer to master, and consumer to consumer.  Returns data.  Here's the TLS 
> lines from debugging:

Now run slapd with -d-1 and look at the corresponding output.

Are you sure you set the new CA in the consumer's TLS config?
> 
> TLS trace: SSL_connect:before SSL initialization
> TLS trace: SSL_connect:SSLv3/TLS write client hello
> TLS trace: SSL_connect:SSLv3/TLS write client hello
> TLS trace: SSL_connect:SSLv3/TLS read server hello
> TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
> TLS trace: SSL_connect:SSLv3/TLS read server certificate request
> TLS certificate verification: depth: 3, err: 0, subject: /C=US/ST=New 
> Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification 
> Authority, issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST 
> Network/CN=USERTrust RSA Certification Authority
> TLS certificate verification: depth: 2, err: 0, subject: /C=GB/O=Sectigo 
> Limited/CN=Sectigo Public Server Authentication Root R46, issuer: 
> /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA 
> Certification Authority
> TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=InCommon, 
> LLC/CN=InCommon RSA OV SSL CA 3, issuer: /C=GB/O=Sectigo Limited/CN=Sectigo 
> Public Server Authentication Root R46
> TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=New 
> Jersey/O=Rutgers, The State University of New 
> Jersey/CN=idm-ldap-abusec101-prod-asb.ei.rutgers.edu, issuer: 
> /C=US/O=InCommon, LLC/CN=InCommon RSA OV SSL CA 3
> TLS trace: SSL_connect:SSLv3/TLS read server certificate
> TLS trace: SSL_connect:TLSv1.3 read server certificate verify
> TLS trace: SSL_connect:SSLv3/TLS read finished
> TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
> TLS trace: SSL_connect:SSLv3/TLS write client certificate
> TLS trace: SSL_connect:SSLv3/TLS write finished
> TLS trace: SSL_connect:SSL negotiation finished successfully
> TLS trace: SSL_connect:SSL negotiation finished successfully
> TLS trace: SSL_connect:SSLv3/TLS read server session ticket
> TLS trace: SSL_connect:SSL negotiation finished successfully
> TLS trace: SSL_connect:SSL negotiation finished successfully
> TLS trace: SSL_connect:SSLv3/TLS read server session ticket
> TLS trace: SSL3 alert write:warning:close notify
> 
> Nothing odd in the rest of the output.  The only thing that is failing is 
> replication.
> 
> Also, tls_reqcert settings are similar, either demand or try in both 
> slapd.conf and ldap.conf.
> 
> -ds
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to