What is the current wisdom regarding which tls library to use?
I've got a version 2.4.39 installation on RHEL 6.6 for which I cannot get tls to work. I end up with the "TLS: can't connect: TLS error -5938:Encountered end of file." error. Likely a misconfiguration of moznss, though I followed one set of directions using certutil, but lack the proper setting for my ldap TLSCACertificateFile.
My Debian-based ldap servers run with either openssl or gnutls.
Thanks,
Chuck Theobald wrote:
What is the current wisdom regarding which tls library to use?
I've got a version 2.4.39 installation on RHEL 6.6 for which I cannot get tls to work. I end up with the "TLS: can't connect: TLS error -5938:Encountered end of file." error. Likely a misconfiguration of moznss, though I followed one set of directions using certutil, but lack the proper setting for my ldap TLSCACertificateFile.
My Debian-based ldap servers run with either openssl or gnutls.
Stick with OpenSSL - it's most heavily used, most frequently tested, and most commonly documented. MozNSS is the oldest and most "mature" code base but architecturally it is still very immature and it has a long way to go before its design is generally usable. GnuTLS is a travesty.
* Chuck Theobald chuckt@uoregon.edu [2015-04-23 22:34:31]:
What is the current wisdom regarding which tls library to use?
I've got a version 2.4.39 installation on RHEL 6.6 for which I cannot get tls to work. I end up with the "TLS: can't connect: TLS error -5938:Encountered end of file." error. Likely a misconfiguration of moznss, though I followed one set of directions using certutil, but lack the proper setting for my ldap TLSCACertificateFile.
My Debian-based ldap servers run with either openssl or gnutls.
I've managed to get the stock RHEL 6/7 2.4.39 packages to work with the standard PEM-encoded certificates/keys generated by OpenSSL without needing to convert them into the NSS-specific format.
My TLS settings are simply:
olcTLSCACertificateFile: /etc/openldap/certs/ca.crt olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: /etc/openldap/certs/ldap.crt olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key olcTLSCipherSuite: HIGH olcTLSProtocolMin: 3.1
Also check if you have SELinux enabled that these files are labelled with the correct context as that can be a source of phantom errors.
HTH
Matt
openldap-technical@openldap.org
-
Chuck Theobald -
Howard Chu -
Matt Dainty