--On Friday, June 14, 2013 5:22 PM +0530 Ashwin Kumar ashwinkumark10@gmail.com wrote:
I am compiling OpenLDAP 2.4.35 with OpenSSL 1.0.0a. The compilation and building the library works fine.
However, when I am using the OpenLDAP client "ldapsearch" the tool fails with these errors:
[root@xMachine openldap-2.4.35]# ./ldaplib/bin/ldapsearch -H ldaps://192.168.1.51:10636 -d 5 ldap_url_parse_ext(ldaps://192.168.1.51:10636) ldap_create ldap_url_parse_ext(ldaps://192.168.1.51:10636/??base) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.1.51:10636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.1.51:10636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:error in SSLv3 read server hello B TLS trace: SSL_connect:error in SSLv3 read server hello B TLS: can't connect: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list. ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
- Why does this happen?
- Is it the issue with the OpenSSL 1.0.0a?
Looks that way.
- What is the minimum version of OpenSSL required to build the LDAP
clients?
I know it works with at least 0.9 series. I'm not sure why you are using such an ancient version of OpenSSL to build with OpenLDAP, given the numerous security vulnerabilities it has. I personally use the latest (1.0.1e).
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration