Full_Name: Ed van Gasteren Version: 2.4.12 and 2.4.15 OS: linux (Fedora 10, 11) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (85.223.76.221)
On system lt2 (up to date Fedora 10) I run openldap (2.4.12) server and clients. The configuration is such that things work as expected even with security tightened up to "TLSVerifyClient demand". ldapsearch (either to -H ldaps or with -ZZ), nss and gq with TLS work like a charm.
On system lt1 (up to date Fedora 11) I run openldap clients (2.4.15), gq and Thunderbird connecting to the server on lt2. TLS/SSL only works if I run slapd with "-d 2". If I run slapd without it then ldapsearch hangs on "TLS trace: SSL_connect:SSLv3 read server certificate A".
Seems as if the normal code path has a flaw which gets corrected/bypassed by the debugging code.
What puzzels me is that I find few references (google) to these kind of problems as if nobody uses it this way.
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412706 There they blame it on GnuTLS. Here the symptoms are similar but GnuTLS is not in the picture. - I have searched the openldap Mailing Lists archives for "ssl;client;server;-d 2". That gives a few hits with very similar problems but the threads provide no solution.
I can provide loads of additional detail about my configuration and debug output of the server and the ldapsearch client but I prefer to get some pointers about what to test, look for or provide.