Hi Howard
Thanks for the suggestion.
[tl] > The lack of any server reply to the client's Hello message strikes me as probably a TLS version mismatch. [tl] > Check what versions of TLS libraries are in use on both the client and server, and if they've been configured to include or exclude any particular TLS versions.
I've been running the ldapsearch and openssl commands on the OpenLDAP server, so the client and server are the same system. I only see openssl 1.1 installed on this OpenLDAP server system: ldpdd042:~ # rpm -qa | grep openssl openssl-1.1.1l-150400.1.5.noarch openssl-1_1-1.1.1l-150400.7.34.1.x86_64 libxmlsec1-openssl1-1.2.28-150100.7.13.4.x86_64 libopenssl1_1-1.1.1l-150400.7.34.1.x86_64 libopenssl-1_1-devel-1.1.1l-150400.7.34.1.x86_64 ldpdd042:~ #
I'm assuming that OpenLDAP 2.6.4 does support openssl 1.1, correct?
[tl] > Also, both slapd and the clients should be configured to use the self-signed server cert as a CA cert.
I believe the server is using the self-signed cert. I think another reply to this thread had suggested that I not use TLSCACertificateFile , so I commented it out: ldpdd042:~ # tail /usr/local/etc/openldap/slapd.conf ####################################################################### # monitor database definitions ####################################################################### database monitor # Added TLS directives # #TLSCACertificateFile /var/lib/ca-certificates/ca-bundle.pem TLSCertificateFile /etc/ssl/private/server.cert TLSCertificateKeyFile /etc/ssl/private/server.key
Thanks! tl
Internal Use - Confidential