Hi! On Mon, Mar 06, 2006 at 09:55:23AM +0000, Greg Matthews wrote: > yes, you can have a number of different CA certs depending on what you > are connecting to. Dropping them into a directory means the ldap tools > will be able to use them (after the symbolic links have been set up).
Today I have finally managed to make openldap (slapd) work with TLS/SSL. Initially I tried DSA certs, and this always resulted in SSL handshake failure (no shared cipher), despite all my efforts, including different clients (pam_ldap, ldapsearch, openssl s_client) and attempt to trace root cause of the issue (I used slapd -d 65535, s_client's debug, tcpdump, then ssldump...). Ultimately, with the same cert/key pair, s_server succeeded with s_client (where slapd didn't). Well, for this I used ldaps:///, because ldap:///+TLS can't work with s_client AFAIU. But anyway this clearly shows there's something wrong with slapd, as s_server works OK under the same conditions... Then I created RSA cert of almost the same contents (RSA had email while DSA hadn't) and bitlength. This surprisingly enabled s_client to succeed. I suspect bug in slapd's handling of SSL_CTX or DH params... I'd love to have more time to check and report it. :( > > It looks like bug is in libnss-ldap, or libpam-ldap, > > not in su, but this has to be proven first. Soon I'll be close to this. -- WBR, xrgtn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
