Hi Everyone,

I'm trying to set-up an new openldap service utilising TLS. At the
moment, it all appears to work fine with out TLS, but unfortunately it
always fails with it.

The service is running on neptune.mps.lan (with a CNAME for ldap), and
my client desktop box is called blacktip. The server is Ubuntu 10.04 LTS
server, and the desktop is also Ubuntu 10.04; both with latest updates.

I have created a Self signed CA and, after setting up the server keys, I
have installed this onto the client. I then added the following line to
the client /etc/ldap.conf:
TLS_CACERT /etc/ssl/certs/slapd-ca-cert.pem

This is the command I am running to test the connection:
root@blacktip:~# ldapsearch -d 16383 -x -h ldap.mps.lan -ZZ -b
dc=mps,dc=lan
ldap_create
ldap_url_parse_ext(ldap://ldap.mps.lan)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.mps.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.0.203:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x7f1965937630 ptr=0x7f1965937630 end=0x7f196593764f
len=31
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1 
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33
37      .4.1.1466.20037  
ber_scanf fmt ({) ber:
ber_dump: buf=0x7f1965937630 ptr=0x7f1965937635 end=0x7f196593764f
len=26
  0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e
w...1.3.6.1.4.1. 
  0010:  31 34 36 36 2e 32 30 30  33 37
1466.20037       
ber_flush2: 31 bytes to sd 3
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1 
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33
37      .4.1.1466.20037  
ldap_write: want=31, written=31
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1 
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33
37      .4.1.1466.20037  
ldap_result ld 0x7f196592f3a0 msgid 1
wait4msg ld 0x7f196592f3a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f196592f3a0 msgid 1 all 1
** ld 0x7f196592f3a0 Connections:
* host: ldap.mps.lan  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug  2 16:48:35 2010


** ld 0x7f196592f3a0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f196592f3a0 request count 1 (abandoned 0)
** ld 0x7f196592f3a0 Response Queue:
   Empty
  ld 0x7f196592f3a0 response count 0
ldap_chkResponseList ld 0x7f196592f3a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f196592f3a0 NULL
ldap_int_select
read1msg: ld 0x7f196592f3a0 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 78 07 0a
0....x..         
ldap_read: want=6, got=6
  0000:  01 00 04 00 04
00                                  ......           
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x7f1965938e50 ptr=0x7f1965938e50 end=0x7f1965938e5c
len=12
  0000:  02 01 01 78 07 0a 01 00  04 00 04
00               ...x........     
read1msg: ld 0x7f196592f3a0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x7f1965938e50 ptr=0x7f1965938e53 end=0x7f1965938e5c len=9
  0000:  78 07 0a 01 00 04 00 04  00
x........        
read1msg: ld 0x7f196592f3a0 0 new referrals
read1msg:  mark request completed, ld 0x7f196592f3a0 msgid 1
request done: ld 0x7f196592f3a0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x7f1965938e50 ptr=0x7f1965938e53 end=0x7f1965938e5c len=9
  0000:  78 07 0a 01 00 04 00 04  00
x........        
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x7f1965938e50 ptr=0x7f1965938e53 end=0x7f1965938e5c len=9
  0000:  78 07 0a 01 00 04 00 04  00
x........        
ber_scanf fmt (}) ber:
ber_dump: buf=0x7f1965938e50 ptr=0x7f1965938e5c end=0x7f1965938e5c len=0

ldap_msgfree
tls_write: want=93, written=93
  0000:  16 03 02 00 58 01 00 00  54 03 02 4c 56 e8 d3
01   ....X...T..LV... 
  0010:  2e bb 5d b7 71 7e ec ab  4c e0 6a 32 63 85 76
88   ..].q~..L.j2c.v. 
  0020:  b9 12 b3 fc e3 56 fe 2a  db 9a 0d 00 00 24 00
33   .....V.*.....$.3 
  0030:  00 45 00 39 00 88 00 16  00 32 00 44 00 38 00
87   .E.9.....2.D.8.. 
  0040:  00 13 00 66 00 2f 00 41  00 35 00 84 00 0a 00
05   ...f./.A.5...... 
  0050:  00 04 01 00 00 07 00 09  00 03 02 00
01            .............    
tls_read: want=5, got=0

TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: A TLS packet with unexpected length was received.


As you can see, the TLS connection fails to negotiate. I have
extensively googled this error but have not yet found a cause nor a
solution.

OpenLDAP server version:
root@neptune:~# slapd -V
@(#) $OpenLDAP: slapd 2.4.21 (Apr 26 2010 11:08:43) $
        buildd@yellow:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
Gnutls Library Version:
root@neptune:~# aptitude show libgnutls26 | grep ^Ver
Version: 2.8.5-2

Many thanks in advance for any help/advice given.

Kind Regards,

Russell Knighton
--