Hello,

I have configured LDAP server on linux  with TLS support and was able to fetch data from it using the ldapsearch utility.
However, when i tried to do this searching via code i got following errors:

Error at Server Side:

slap_listener_activate(10):
>>> slap_listener(ldaps://)
connection_get(15): got connid=47
connection_read(15): checking for input on id=47
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(15): got connid=47
connection_read(15): checking for input on id=47
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053
connection_read(15): TLS accept failure error=-1 id=47, closing
connection_closing: readying conn=47 sd=15 for close
connection_close: conn=47 sd=15


Error at Client side:

[root@localhost LDAP1]# ./ldapSearch
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost.localdomain:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /C=IN/ST=MH/O=TCS/OU=EIS/CN=localhost.localdomain/emailAddress=dhiraj.prasad@tcs.com, issuer: /C=IN/ST=MH/O=TCS/OU=EIS/CN=localhost.localdomain/emailAddress=dhiraj.prasad@tcs.com
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string

Error in ldap_start_tls_s -1:Can't contact LDAP serverTest..1
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
Test..2: -1
ldap_err2string

Failure of LDAP bind -1-Can't contact LDAP server
[root@localhost LDAP1]#


Snippet of client code for TLS support used by Me:

  ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION,
                    &version );

  ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, "/root/cacert.pem");
  ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, "/usr/local/etc/openldap/ldap.client.pem");
  ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, "/usr/local/etc/openldap/ldap.client.key.pem");
  ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON);
  val = LDAP_OPT_X_TLS_ALLOW;
  ldap_set_option (ld, LDAP_OPT_X_TLS, &val);

  status = ldap_start_tls_s(ld, NULL, NULL);



Please let me know as to what is missing in my code that is triggering the above errors.
Also if there are any sample TLS client code, please let me know where can i get it.

Thanks,

Dhiraj Kumar Prasad
Tata Consultancy Services
Mailto: dhiraj.prasad@tcs.com
Website:
http://www.tcs.com
____________________________________________
Experience certainty.        IT Services
                       Business Solutions
                       Outsourcing
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you