I changed the ldap.conf file in the client so instead of TLS_CACERTDIR now I'm using TLC_CACERT <file.pem> and the error now is this one: # ldapsearch -x -d1 #it's the same error if I set -H server ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP curri0.imppc.local:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.19.5.13:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: error: connect - force handshake failure -1 - error -8054:Unknown code ___f 138 TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
and the server says: slap_listener_activate(8):
slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1034 connection_read(12): checking for input on id=1034 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(12): got connid=1034 connection_read(12): checking for input on id=1034 TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate. connection_read(12): TLS accept failure error=-1 id=1034, closing connection_close: conn=1034 sd=12
I can't understand why the server complains about a bad certificate, when the client certificate was generated there :O by the openssl libraries.
As said, thanks a lot for your time, j
On 4/12/11 9:33 PM, Quanah Gibson-Mount wrote:
--On Tuesday, April 12, 2011 9:14 PM +0200 Judith Flo Gayajflo@imppc.org wrote:
Hello Quanah, ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: could not initialize moznss using security dir /etc/openldap/cacerts
It sounds to me like you linked it against MozNSS instead of OpenSSL. I would suggest you rebuild it with --with-tls=openssl
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration