On 08/11/2009 01:05 PM, E.M. van Gasteren wrote:
On 08/11/2009 04:44 AM, Howard Chu wrote:
Ed@vanGasteren.net wrote:
Full_Name: Ed van Gasteren Version: 2.4.12 and 2.4.15 OS: linux (Fedora 10, 11) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (85.223.76.221)
On system lt2 (up to date Fedora 10) I run openldap (2.4.12) server and clients. The configuration is such that things work as expected even with security tightened up to "TLSVerifyClient demand". ldapsearch (either to -H ldaps or with -ZZ), nss and gq with TLS work like a charm.
On system lt1 (up to date Fedora 11) I run openldap clients (2.4.15), gq and Thunderbird connecting to the server on lt2. TLS/SSL only works if I run slapd with "-d 2". If I run slapd without it then ldapsearch hangs on "TLS trace: SSL_connect:SSLv3 read server certificate A".
Seems as if the normal code path has a flaw which gets corrected/bypassed by the debugging code.
Doesn't sound familiar, I've never had this problem. However, the TLS code was refactored in rev 2.4.14, and it's always possible we missed something in the churn. How does openssl s_client react under the same conditions? If it hangs the same way, then that points to a bug on the
Should have mentioned that. It indeed hangs the same way, in the middle of getting over the "Acceptable client certificate CA names".
-- cut --
server, and the answer is just to upgrade since .12 is rather out of
Hm! I'll see if I can get the 2.4.15 openldap stuff from Fedora 11 repo's running on lt2 first.
I ran into serious problems with lt2 and had to rebuild it. I took the opportunity to use Fedora 11 with openldap 2.4.15. That seems to have solved the problem.
-
Ed@vanGasteren.net