https://bugs.openldap.org/show_bug.cgi?id=9433
Issue ID: 9433 Summary: ldapsearch -Z fails to continue when StartTLS fails Product: OpenLDAP Version: 2.4.56 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: client tools Assignee: bugs@openldap.org Reporter: simon.pichugin@gmail.com Target Milestone: ---
Created attachment 783 --> https://bugs.openldap.org/attachment.cgi?id=783&action=edit ldapsearch debug log
When -Z is passed to an OpenLDAP utility, it will try to establish a TLS connection with StartTLS, and in case it fails to do so it should continue without the TLS layer.
OpenLDAP version: openldap-2.4.56-4.fc34.x86_64 (but it also doesn't work on older versions too)
How reproducible: Always
Steps to Reproduce: 1. Run `ldapsearch ...' against a server and see successful operation result. 2. Run `ldapsearch -Z ...' against a server whose certificate is not trusted (e.g. a hostname mismatch) and observe it fails to connect as in point 1.
Actual results: ~~~ ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate # and it hangs there ~~~
Expected results: The line ~~~ ldap_result: Can't contact LDAP server (-1) ~~~ is not present and the utility successfully continues with plain LDAP protocol as expected.
Additional info: I'm attaching a full debug log (-d -1) to this bug.