I am trying to get a ldap client talk to the server over TLS/SSL. The
command I using is "ldapsearch -Z .."
However, the transaction fails during the TLS handshake protocol. I
am using openldap 2.1.3, openssl 0.9.6c and HPUX 11.0
client
-------
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=ILLINOIS/L=Lis
leCA/O=Comnet [EMAIL PROTECTED],
issuer: /C
=US/ST=ILLINOIS/L=LisleCA/O=Comnet Int/OU=CA/CN=aptrain.comneti.com/Email=dvs@co
mneti.com
TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=ILLINOIS/O=Com
net [EMAIL PROTECTED], issuer:
/C=US/ST=ILL
INOIS/L=LisleCA/O=Comnet [EMAIL PROTECTED]
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:error in SSLv3 read finished A
TLS trace: SSL_connect:error in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
server
-------
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 80 01 03 01 00 57 00 00 00 20
......W...
tls_read: want=119, got=119
......................... snip .................
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=1963, written=1963
......................snip..........................
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS: can't accept.
connection_read(10): TLS accept error error=-1 id=2, closing
connection_closing: readying conn=2 sd=10 for close
connection_close: conn=2 sd=10
daemon: removing 10
It looks like the openldap server does not receive the client message
during the handshake and the protocol fails.
I am using openssl 0.9.6c and openldap 2.1.3
Looking at the openldap mailing archives it was mentioned that the error
"error=Resource temporarily unavailable" is normal, and I do see
it showing up in the server log routinely when I do ldapsearches without
using TLS (I tried to increase NPROC kernel tunable but it did'nt help).
I have been able to get the openssl client to talk to openssl server. Is there a way I can get the openssl client to estabilish TLS with openldap server ?
Thanks in advance for any advice,
regards,
dinesh
