Hello,
i'm using slapd 2.3.30 on a Ubuntu 7.04 AMD64 machine and i've have some trouble to get it running with TLS. When the slapd daemon is started during the system start-up i cannot connect to the LDAP server with TLS. After a long search i figured out, that the slapd daemon requests a client certificate, but i haven't configured the server to do so. Here is the TLS configuration of slapd:
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSVerifyClient never TLSCACertificateFile /etc/ldap/certs/root.crt #TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/ldap.arsoft.homeip.net.crt TLSCertificateKeyFile /etc/ldap/private/ldap.arsoft.homeip.net.pem
And here's what the server says when i connect to it using ldapsearch -x -ZZ ... TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A daemon: select: listen=6 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 11r daemon: read activity on 11 connection_get(11) connection_get(11): got connid=187 connection_read(11): checking for input on id=187 tls_read: want=5, got=5 0000: 16 03 01 00 07 ..... tls_read: want=7, got=7 0000: 0b 00 00 03 00 00 00 ....... tls_write: want=7, written=7 0000: 15 03 01 00 02 02 28 ......( TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2455 connection_read(11): TLS accept failure error=-1 id=187, closing connection_closing: readying conn=187 sd=11 for close connection_close: conn=187 sd=11
The interesting thing is, that when i restart the slapd daemon manually, the server works fine and TLS is also working.
I don't known if this porblem is really a bug or not, but i don't know how to solve this problem by myself. Any help or advise is welcomed.
Thanks, A. Roth
openldap-software@openldap.org