On Wed, Apr 02, 2008 at 02:34:12AM +0200, [EMAIL PROTECTED] wrote: > now with the slapd 2.4.7 package (with gnutls) this seems to force > client-certs, too. a TLS query without client-cert won't work - but > commenting the 'security' line out results in working TLS and working > non-TLS queries.
The default behavior when TLS is enabled is "TLSVerifyClient never"; 2.4.7 did have a bug related to this, but this was resolved in the 2.4.7-5 package. > it seems like openssl and gnutls or slapd 2.3 and slapd 2.4 simply > behave differently for 'security tls=128'. That's possible, I never tested with 'security tls=<n>'. > [EMAIL PROTECTED]:~$ ldapsearch -ZZ -x -h localhost -b dc=foo-bar,dc=baz > "(objectClass=*)" -d 1 [...] > res_errno: 13, res_error: <stronger TLS confidentiality required>, [...] Well, that's clear enough, anyway. Does server debugging indicate what it thinks the current TLS strength is? You specified -ZZ, so *some* TLS is in use - the question is why the server thinks it isn't strong enough? > > TLS negotiation is protocol-specific; connecting on the LDAP port with > > gnutls-cli is not a meaningful test of TLS support. > oic!? i thought TLS works like a wrapper and has a common handshake for > any protocol it subsequently transports... i would have found that > elegant (and handy, e.g. for debugging with gnutls-cli ;) - toobad. That accurately describes SSL, but not TLS. You could try connecting with ldaps:// (after configuring the server for the additional port) instead of ldap:// + TLS, then that part should work with gnutls-cli. > > I haven't tested the -6.1 NMU specifically, but "worksforme" on the previous > > builds of 2.4.7, and indeed I tested TLS support quite extensively while > > getting 2.4.7 into shape for Debian. > did you by chance test the server-cert-but-no-client-certs scenario? Yes; the variable here is the specification of "security tls=128", I think. server debug logs may help here, I'm not familiar with that part of the TLS code and will have to dig a bit. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
