Hi Chris： I have to regenerate the CA, and make sure that the hostname and common name match(ldap.server.com), the following is the command output: [root(a)ldap.server.com ~]# echo | openssl s_client -connect ldap.server.com:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=CN/ST=BJ/O=TS/OU=IT/CN=ldap.server.com/emailAddress=tianzy(a)server.com verify return:1 depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=ldap.server.com/emailAddress=tianzy(a)server.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A On LDAP Server run the command: "ldapsearch -x -H ldap://ldap.server.com -ZZ" is ok, I think CA is no problem now. But on my client , it also ouput "ldap_start_tls: Connect error (-11) " LDAP Server log file output: Oct 24 11:41:41 auth slapd[14371]: conn=49 fd=14 ACCEPT from IP=192.168.9.9:46226 (IP=0.0.0.0:389) Oct 24 11:41:41 auth slapd[14371]: conn=49 op=0 STARTTLS Oct 24 11:41:41 auth slapd[14371]: conn=49 op=0 RESULT oid= err=0 text= Oct 24 11:41:41 auth slapd[14371]: conn=49 fd=14 closed (TLS negotiation failure) Tian Zhiying From: Chris Jacobs Date: 2013-10-23 22:18 To: tianzy1225; DieterKlünter; openldap-technical Subject: RE: Re: OpenLDAP 2.3.4 TLS negotiation failure Inline... Here is your problem. The host does not trust the SSL cert. The 'CAfile' you've pointed the openssl command (and the real clients guessing by the path) isn't the CA chain for that SSL cert. We also use an internal CA that our hosts don't trust globally. Same command and output for me: [root(a)ldapmaster1.[snip] ~]# echo | openssl s_client -connect ldapmaster1.[snip]:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=2 C = US, O = [snip], OU = PKI, CN = [snip] Internal Root CA verify return:1 depth=1 C = US, O = [snip], OU = PKI, CN = [snip] Internal Issuing CA 01 verify return:1 depth=0 C = US, ST = WA, L = Seattle, O = [snip], CN = ldap-vip. [snip], emailAddress = [snip] verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A The command then continues to dump the cert, and the chain certs, as expected. You must put the entire CA chain from the Root CA to the signing/subordinate CA that signed this SSL cert (if applicable) in x509/PEM format in your 'CAfile' - assuming the Root CA isn't trusted server wide already. Then try again. Also, make sure to use the name specified in your SSL cert when connecting/testing - mess with your local hosts file if needed. - chris This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.