Hello list, I have ran into a problem with apache and Openldap which I pinned down to gnutls.
I have a LDAP server set up with TLS (it also runs Debian) but connecting to it turns out to be a problem. It works fine for local or unencrypted connections but from another Debian box it doesn't. Behold ldapsearch: ldapsearch -d 1 -x -H ldaps://ahostname -D 'cn=admin,dc=correct' -w 'lll' '(cn=admin)' ldap_url_parse_ext(ldaps://ahostname) ldap_create ldap_url_parse_ext(ldaps://ahostname:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ahostname:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 1.2.3.4:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Connceting from a box running another distro works better: ldap_url_parse_ext(ldaps://ahostname) ldap_create ldap_url_parse_ext(ldaps://ahostname:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ahostname:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 1.2.3.4:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A ... etc etc. Difference is, on Debian everything appears to be compiled with GnuTLS (including Openldap and Apache) whereas on the other distros I've tried Openssl is used. So the obvious solution would be to use openssl but I suppose this would mean recompiling the Apache package - which may not be ideal from a stability viewpoint or to keep up wit security updates. Would it be possible to install the certificate on the client side (=Apache) and somehow suggest it to trust the certificate? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c7e4c1e.8000...@gmail.com
