On 08/11/2009 01:05 PM, E.M. van Gasteren wrote: > > > On 08/11/2009 04:44 AM, Howard Chu wrote: >> [email protected] wrote: >>> Full_Name: Ed van Gasteren >>> Version: 2.4.12 and 2.4.15 >>> OS: linux (Fedora 10, 11) >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (85.223.76.221) >>> >>> >>> On system lt2 (up to date Fedora 10) I run openldap (2.4.12) server >>> and clients. >>> The configuration is such that things work as expected even with >>> security >>> tightened up to "TLSVerifyClient demand". ldapsearch (either to -H >>> ldaps or with >>> -ZZ), nss and gq with TLS work like a charm. >>> >>> On system lt1 (up to date Fedora 11) I run openldap clients (2.4.15), >>> gq and >>> Thunderbird connecting to the server on lt2. TLS/SSL only works if I >>> run slapd >>> with "-d 2". If I run slapd without it then ldapsearch hangs on "TLS >>> trace: >>> SSL_connect:SSLv3 read server certificate A". >>> >>> Seems as if the normal code path has a flaw which gets >>> corrected/bypassed by the >>> debugging code. >> >> Doesn't sound familiar, I've never had this problem. However, the TLS >> code was refactored in rev 2.4.14, and it's always possible we missed >> something in the churn. How does openssl s_client react under the same >> conditions? If it hangs the same way, then that points to a bug on the > > Should have mentioned that. It indeed hangs the same way, in the middle > of getting over the "Acceptable client certificate CA names".
-- cut -- >> server, and the answer is just to upgrade since .12 is rather out of > > Hm! I'll see if I can get the 2.4.15 openldap stuff from Fedora 11 > repo's running on lt2 first. I ran into serious problems with lt2 and had to rebuild it. I took the opportunity to use Fedora 11 with openldap 2.4.15. That seems to have solved the problem.
