* Chuck Theobald chuckt@uoregon.edu [2015-04-23 22:34:31]:
What is the current wisdom regarding which tls library to use?
I've got a version 2.4.39 installation on RHEL 6.6 for which I cannot get tls to work. I end up with the "TLS: can't connect: TLS error -5938:Encountered end of file." error. Likely a misconfiguration of moznss, though I followed one set of directions using certutil, but lack the proper setting for my ldap TLSCACertificateFile.
My Debian-based ldap servers run with either openssl or gnutls.
I've managed to get the stock RHEL 6/7 2.4.39 packages to work with the standard PEM-encoded certificates/keys generated by OpenSSL without needing to convert them into the NSS-specific format.
My TLS settings are simply:
olcTLSCACertificateFile: /etc/openldap/certs/ca.crt olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: /etc/openldap/certs/ldap.crt olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key olcTLSCipherSuite: HIGH olcTLSProtocolMin: 3.1
Also check if you have SELinux enabled that these files are labelled with the correct context as that can be a source of phantom errors.
HTH
Matt