Ed@vanGasteren.net wrote:
Full_Name: Ed van Gasteren Version: 2.4.12 and 2.4.15 OS: linux (Fedora 10, 11) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (85.223.76.221)
On system lt2 (up to date Fedora 10) I run openldap (2.4.12) server and clients. The configuration is such that things work as expected even with security tightened up to "TLSVerifyClient demand". ldapsearch (either to -H ldaps or with -ZZ), nss and gq with TLS work like a charm.
On system lt1 (up to date Fedora 11) I run openldap clients (2.4.15), gq and Thunderbird connecting to the server on lt2. TLS/SSL only works if I run slapd with "-d 2". If I run slapd without it then ldapsearch hangs on "TLS trace: SSL_connect:SSLv3 read server certificate A".
Seems as if the normal code path has a flaw which gets corrected/bypassed by the debugging code.
Doesn't sound familiar, I've never had this problem. However, the TLS code was refactored in rev 2.4.14, and it's always possible we missed something in the churn. How does openssl s_client react under the same conditions? If it hangs the same way, then that points to a bug on the server, and the answer is just to upgrade since .12 is rather out of date now. If s_client works, then we probably have to look at our client code.