Quanah Gibson-Mount wrote:
--On Thursday, October 29, 2009 2:56 PM +0100 Victor Mataré matare@lih.rwth-aachen.de wrote:
Hope that someone can make sense of this. Just to be clear: ldapsearch behaves the same way as described above for openssl s_client.
Thank you very much for even reading so far.
If slapd is the one failing to send data, why don't you turn up the debugging level on the slapd side and see what it thinks is happening? I.e., start slapd by hand with something like -d 2 or -d -1 and see what it reports at the time at which the connection hangs.
--Quanah
Ok, when I start slapd with -d 9, I see this:
slap_listener(ldap://)
connection_get(15): got connid=1 connection_read(15): checking for input on id=1 ber_get_next ber_get_next: tag 0x30 len 29 contents: ber_get_next do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 15 connection_get(15): got connid=1 connection_read(15): checking for input on id=1 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:error in SSLv3 write certificate request B TLS trace: SSL_accept:error in SSLv3 write certificate request B
(Strg-C on the client)
connection_get(15): got connid=1 connection_read(15): checking for input on id=1 TLS trace: SSL_accept:SSLv3 write certificate request B TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. connection_read(15): TLS accept failure error=-1 id=1, closing connection_closing: readying conn=1 sd=15 for close connection_close: conn=1 sd=15
However it looks like it might be a client issue after all, because I found out some clients can actually talk to the server through ldaps:// or STARTTLS, while others fail with "Can't contact ldap server". This is some weird breakage. Don't bother too much with this, I think I have to do some more experimentation. But thanks to all for the quick responses so far.