--On Monday, February 26, 2007 3:59 PM +0200 Antonis Christofides anthony@itia.ntua.gr wrote:
Hi,
Summary:
A tls connection between a client and a 2.3.30 slapd hangs while the server is giving the certificate; but this does not happen if the server is run with -d 2 or higher, or if the client is the server itself.
Details:
(A seemingly similar issue has been reported before, without satisfactory reply, 4 years ago: http://www.openldap.org/lists/openldap-software/200210/msg00459.html)
My slapd is the Debian-etch-packaged 2.3.30.
Problems with SSL on Debian are well known, and it is due to the fact that they long ago patched OpenLDAP 2.1 to compile against GnuTLS (note, I don't say *work*, just compile).
When you use their 2.2 and 2.3 packages, and their libraries get loaded into the same user space as the 2.1 libraries (which are always installed), then SSL/TLS stop working. There is *nothing* the OpenLDAP folks can do about this.
My only advice to you is to not use the Debian packages. Build OpenLDAP yourself, or get a prebuilt distribution like Symas' CDS that installs into a completely separate location so that it is not polluted by the Debian packages.
In the meantime, Stanford U. & The Written Word have hired Symas corporation to create true integration between GnuTLS and OpenLDAP. It is anticipated that will be part of the OpenLDAP 2.4 release. Too late for Debian's etch release, but I assume this problem will finally go away for Debian in the release after that.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html