Mathieu MILLET wrote:
On Wed, 25 Mar 2009 15:09:09 +0100, Peter Mogensen
<apm(a)mutex.dk> wrote:
> I have problem with SASL/EXTERNAL and TLS. The server can't seem to find
> the client certificate. I'm using slapd from Debian Lenny and Ubuntu
> Hardy, and it's probably due to GnuTLS problems.
> I get error from slapd like:
> "TLS: can't accept: A TLS packet with unexpected length was received.."
Oh ... forget this one. I found the reason for this. It was my fault.
> "unable to get TLS client DN, error=-4 id=0"
> Are GnuTLS just completely broken on Debian Lenny or can this be made to
> work?
Which version of OpenLDAP are you using ?
If using 2.4.15, the ldap "client" libs have broken SASL/EXTERNAL
implementation. These libs are also used for consumer to connect to
provider.
2.4.9-0ubuntu0.8.0
I haven't checked which upstream version the patches makes it equivalent
to though.
Doing: ldapwhoami -YEXTERNAL -H ldaps://server:389/
I'm stepping through the SSL handshake with wireshark and it seems to
get all the way through to the servers ChangeChipherSpec/Finish stage
after which the client sends a TCP FIN,ACK.
slapd output is:
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_read(10): unable to get TLS client DN, error=-4 id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
ber_get_next
ber_get_next on fd 10 failed errno=0 (Success)
connection_closing: readying conn=11 sd=10 for close
connection_close: conn=11 sd=10
According to wireshark it's TLSv1.1.
I think I read somewhere that GnuTLS don't like that, but I can't figure
out how do downgrade to TLSv1.0
/Peter