It looks like my problem was that with LDAP-UX you can only use TLS over an unencrypted port.  If you try to use it over 636 it fails.  I guess this is normal.  Thanks for the help.

On Wed, May 28, 2008 at 1:01 PM, Philip Guenther <guenther+ldapsoft@sendmail.com> wrote:
On Wed, 28 May 2008, Michael Ströder wrote:
Adam Leach wrote:
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580

Looks like your client trys to negotiate the SSLv23 protocol variant and your server does not accept this. You might have a look at the client's configuration to enforce SSLv3 or TLSv1. You should avoid using SSLv2 for security reasons anyway.

"SSLv23" is OpenSSL's name for the version negotiation code, handling the choice between SSLv2, SSLv3, and TLSv1.  Support for specific versions can be disabled using the SSL_{,CTX_}set_options() functions...which OpenLDAP doesn't call.  With that ruled out, it looks from the OpenSSL code that the "unknown protocol" error would only be generated when the client sent something that didn't look like either the SSLv2 format or the SSLv3/TLS format, such as if it sent normal LDAP on the ldaps port.


Philip Guenther



--
Adam Leach
BS Computer/Electrical Engineering
West Virginia University
System Administrator - Raytheon
(304)677-4455