On Thu, 1 May 2008, Simon Josefsson wrote:
Richard,
Hello !
I'm looking at debian bug #466477. Marc F. Clemente's problem discussed in this bug should be resolved with the recent upload, which returns the subject to your original report from February 19th.
Cool, some progress :)
We haven't been able to reproduce this.
Not surprising, the server is an IBM product, based upon older apache2 and openssl (not supporting newer TLS). $ ldapsearch -x -Hldap://bluepages.ibm.com -b '' -sbase '(objectclass=*)' '*' ... secureport: 636 security: ssl port: 389 supportedsaslmechanisms: CRAM-MD5 supportedsaslmechanisms: DIGEST-MD5 supportedldapversion: 2 supportedldapversion: 3 ibmdirectoryversion: 5.2 ... vendorname: International Business Machines (IBM) vendorversion: 5.2 ibm-sslciphers: 352F04050A090306 ibm-slapdisconfigurationmode: FALSE ibm-slapdSizeLimit: 100000 ibm-slapdTimeLimit: 0 ibm-slapdDerefAliases: never ibm-supportedAuditVersion: 2 ibm-sasldigestrealmname: d03ldr210a ...
Do you still have this problem?
Most definitely :( $ dpkg -l libgnutls26 ii libgnutls26 2.2.3~rc-1 $ gnutls-cli -p 636 bluepages.ibm.com Resolving 'bluepages.ibm.com'... Connecting to '9.17.186.253:636'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received.
I'd like to close or downgrade the bug.
I'd rather not... I've had to rebuild openldap against openssl to be able to operate in this environment - and there is a large number of us using Debian - and I'm sure others who must live with an IBM server in their environment.
/Simon
Thanks for the follow-up, and let me know how I can help with this... I can provide ldap/wireshark/etc traces if needed; I'm guessing the hand-shake error occurs as gnutls tries to check on TLS extensions, but haven't spent much time on digging through the code. I can't (I'd be canned, and its not my sever) expose the beast for external testing, but I can run any diagnostics and report the results. -- Rick Nelson * shortc wants to get in one of knghtbrd's sigs one of these days. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
