Hi all, I'm trying to establish TLS connection with my newly configured OpenLDAP server, but all the time I get the TLS Connection Failure error.

I have the following configuration in slapd.conf: TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/servercrt.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem TLSVerifyClient never

The CA and certs where creating with accordance to this tutorial: http://www.openldap.org/faq/data/cache/185.html

server error (with loglevel -1): connection_get(29) Jun 10 10:51:30 firma slapd[6203]: connection_get(29): got connid=190 Jun 10 10:51:30 firma slapd[6203]: connection_read(29): checking for input on id=190 Jun 10 10:51:30 firma slapd[6203]: connection_read(29): TLS accept failure error=-1 id=190, closing Jun 10 10:51:30 firma slapd[6203]: connection_closing: readying conn=190 sd=29 for close Jun 10 10:51:30 firma slapd[6203]: connection_close: conn=190 sd=29 Jun 10 10:51:30 firma slapd[6203]: daemon: removing 29 Jun 10 10:51:30 firma slapd[6203]: conn=190 fd=29 closed (TLS negotiation failure)

the client error: # ldapsearch -d -1 -H ldap://192.168.2.49 -D 'cn=Manager,dc=melog,dc=com' -W -ZZ ldap_create ldap_url_parse_ext(ldap://192.168.2.49) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.2.49:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.2.49:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x978a418 ptr=0x978a418 end=0x978a437 len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x978a418 ptr=0x978a41d end=0x978a437 len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x9782218 msgid 1 ldap_chkResponseList ld 0x9782218 msgid 1 all 1 ldap_chkResponseList returns ld 0x9782218 NULL wait4msg ld 0x9782218 msgid 1 (infinite timeout) wait4msg continue ld 0x9782218 msgid 1 all 1 ** ld 0x9782218 Connections: * host: 192.168.2.49 port: 389 (default) refcnt: 2 status: Connected last used: Thu Jun 10 10:50:24 2010

** ld 0x9782218 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x9782218 Response Queue: Empty ldap_chkResponseList ld 0x9782218 msgid 1 all 1 ldap_chkResponseList returns ld 0x9782218 NULL ldap_int_select read1msg: ld 0x9782218 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 84 00 00 00 10 02 01 0....... ldap_read: want=14, got=14 0000: 01 78 84 00 00 00 07 0a 01 00 04 00 04 00 .x............ ber_get_next: tag 0x30 len 16 contents: ber_dump: buf=0x978b550 ptr=0x978b550 end=0x978b560 len=16 0000: 02 01 01 78 84 00 00 00 07 0a 01 00 04 00 04 00 ...x............ read1msg: ld 0x9782218 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13 0000: 78 84 00 00 00 07 0a 01 00 04 00 04 00 x............ read1msg: ld 0x9782218 0 new referrals read1msg: mark request completed, ld 0x9782218 msgid 1 request done: ld 0x9782218 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13 0000: 78 84 00 00 00 07 0a 01 00 04 00 04 00 x............ ldap_parse_result ber_scanf fmt ({iaa) ber: ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13 0000: 78 84 00 00 00 07 0a 01 00 04 00 04 00 x............ ber_scanf fmt (}) ber: ber_dump: buf=0x978b550 ptr=0x978b560 end=0x978b560 len=0

ldap_msgfree TLS trace: SSL_connect:before/connect initialization tls_write: want=142, written=142 0000: 80 8c 01 03 01 00 63 00 00 00 20 00 00 39 00 00 ......c... ..9.. 0010: 38 00 00 35 00 00 88 00 00 87 00 00 84 00 00 16 8..5............ 0020: 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 ...........3..2. 0030: 00 2f 00 00 45 00 00 44 00 00 41 00 00 07 05 00 ./..E..D..A..... 0040: 80 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15 ................ 0050: 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 ........@....... 0060: 00 08 00 00 06 04 00 80 00 00 03 02 00 80 9b 34 ...............4 0070: a3 18 95 67 ad a3 47 d0 89 9b 85 3f e2 e5 7a 44 ...g..G....?..zD 0080: e5 72 f1 07 82 06 51 45 f2 17 d9 a2 47 51 .r....QE....GQ TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=0

TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11)

client is configured: TLS_CACERT /etc/openldap/cacert.pem

and cacert is the same like on the server. I'm using gentoo with openldap 2.4.19-r1 and openssl 0.9.8n

I'm working on it for long time and currently I have no idea why it does not working...