Definitely not an entropy problem. I see "ACCEPT" in the logs, but nothing else.
I hadn't realized RedHat was so damn behind. I'm going to generate a custom package with the latest version and see if the problem goes away.
On Wed, Sep 25, 2013 at 2:21 PM, Dan White dwhite@olp.net wrote:
On 09/25/13 13:43 -0700, Chad Scott wrote:
I'm having a lot of trouble with replication when using SSL. If I configure everything exactly the same without SSL, it works flawlessly. The instant I try to encrypt traffic, one or both servers will deadlock, even after restart.
Does slapd still respond? If so, verify that your entropy is not being depleted for your ssl connections. I believe by default openssl uses /dev/random which can block. Check /proc/sys/kernel/random/** entropy_avail.
I'm configuring according to the instructions at
http://www.openldap.org/doc/**admin24/replication.html#N-Wayhttp://www.openldap.org/doc/admin24/replication.html#N-WayMulti-Master, except using ldaps:// instead of ldap://.
In cn=config, I've setup: olcTLSCACertificateFile: /etc/openldap/certs/** Operations_CA_Certificate.pem olcTLSCertificateFile: /etc/openldap/certs/ldap.pem olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
I've also tried using STARTTLS over ldap:// and it seems to make no difference.
Permissions are right and I can connect via SSL from clients without issue.
I'm completely stumped as to what might be going on. Has anyone seen this before?
This is running on Scientific Linux 6 with the following packages: openldap-2.4.23-32.el6_4.x86_**64 openldap-clients-2.4.23-32.**el6_4.x86_64 openldap-servers-2.4.23-32.**el6_4.x86_64
-- Dan White