Bug#473796: TLS fails completely

Tue, 01 Apr 2008 11:21:50 -0700 

Package: slapd
Version: 2.4.7-6.1

lenny amd64
libgnutls26 2.2.2-1

doing a TLS query (-Z or -ZZ) will fail:

ldap_start_tls: Connect error (-11)

gnutls-cli says:

[EMAIL PROTECTED]:~$ gnutls-cli-debug host -p 389
Resolving 'host'...
Connecting to '127.0.1.1:389'...
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.0 support... no
Checking for SSL 3.0 support... no

Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
[EMAIL PROTECTED]:~$

in slapd.conf:

TLSCertificateFile /etc/ldap/host.crt
TLSCertificateKeyFile /etc/ldap/host.key
are configured. permissions are correct (host.key: 640 root:openldap), strace shows that slapd opens and reads both files. 

running the above gnutls-cli-debug against:
sudo -u openldap gnutls-serv --x509keyfile /etc/ldap/host.key --x509certfile /etc/ldap/host.crt 

works (all TLS/SSL supported).

i tried slapd.conf with and without each of:

security       tls=128
TLSVerifyClient never
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1
(plus with TLSCipherSuite listing all supported suites according to gnutls-cli -l) 

when trying a query with TLS, slapd -d 1 says:

slap_listener_activate(8):
>>> slap_listener(ldap:///)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
conn=0 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 13
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS: can't accept: A record packet with illegal version was received..
connection_read(13): TLS accept failure error=-1 id=0, closing
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13
i guess if it were a general bug in the slapd package there should be at least some amount of hue and cry about it - but there isn't, so it might be some sort of special case here, therefore i'd rather refrain from labelling this 'severity: important'...
i'd actually consider both any 'worksforme' and 'doesntworkheretoo' notes valuable... :) 

regards,

        Chris



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to