Hello,

I'm having a problem getting TLS connections working properly when clients of the server are built against GnuTLS. When clients are built against OpenSSL, TLS connections work properly.

If OpenLDAP is built against GnuTLS, TLS connections fail with this error (some debug included):

TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_start_tls: Connect error (-11)

For testing, I've tried the following setups. Each use the same configuration: GnuTLS (client) -> GnuTLS (server) = failure OpenSSL (client) -> GnuTLS (server) = success GnuTLS (client) -> OpenSSL (server) = failure OpenSSL (client) -> OpenSSL (server) = success

Also, I have used GnuTLS's testing tools (gnutls-serv and gnutls-cli) to verify that GnuTLS is working properly with the certificate. gnutls-serv \ --x509certfile /etc/ssl/my_ssl/server.key \ --x509keyfile /etc/ssl/my_ssl/server.crt gnutls-cli \ --x509cafile /etc/ssl/certs/ca-certificates.crt \ -p 5556 \ ldapserver.mydomain.com

GnuTLS output: - Peer's certificate is trusted - Version: TLS1.1 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed

Versions used: GnuTLS 2.2.1 OpenSSL 0.9.8c OpenLDAP 2.4.9

Does anyone have any ideas whats going on, or any idea how to troubleshoot this further?

Is this something that should go to the openldap-bugs mailing list?

Thank you.