TLS configuration needs client certification (why?)

Hello all,

why does slapd require a peer/client certificate? I'm slapd 2.3.30 on debian (package 2.3.30-5 to be precise).

when connexting with ssl to slapd using

ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x

I get the following error from slapd (started with -d 8):

TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2455

When connecting to the same host but with the ldap protocol (vs ldaps) the search results correctly.

This error seems like somehow slapd wants to get a client certficate, but I did not set slapd up that way. The ldap.conf on the client machines only contains the CA certificate field:

TLS_CACERT /usr/share/ca-certificates/t310/t310_pem.crt

relevant parts from slapd.conf (included in total at the end of message):

TLSCertificateFile /etc/ldap/artemis-ldap-cert.pem TLSCertificateKeyFile /etc/ldap/artemis-ldap-key.pem TLSCACerticateFile /usr/share/ca-certificates/t310/t310_pem.crt #TLSVerifyClient never #TLSCRLCheck none

verification with openssl s_server and s_client:

openssl s_server -accept 12345 -cert /etc/ldap/artemis-ldap- cert.pem -key /etc/ldap/artemis-ldap-key.pem -CAfile /usr/share/ca- certificates/t310/t310_pem.crt Using default temp DH parameters Using default temp ECDH parameters ACCEPT

and the client:

openssl s_client -CAfile /etc/ssl/certs/t310_pem.pem - connect artemis.t310.org:12345

allows me to exchange data between them. However connecting the s_client to the real ldap server results in an error:

artemis:~# openssl s_client -CAfile /etc/ssl/certs/ t310_pem.pem -connect artemis.t310.org:636 CONNECTED(00000003) depth=1 /O=T310 technologies/OU=CA Division/ emailAddress=ca@t310.org/L=Amsterdam/ST=NH/C=NL/CN=T310 root CA verify return:1 depth=0 /C=NL/ST=NH/O=T310 technologies/OU=ldap/ CN=artemis.t310.org verify return:1 15612:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40 15612:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Any help is appreciated

Frank Cornelissen