Stig -
Thanks for the help. I've been working to narrow it down and it turns out
that the openldap 2.0.7 (and 2.0.9) will open SSL connections with sslv23 by
default. Apparently there is no way to choose another SSL protocol from the
openldap client or php's ldap functions. (Ref tls.c in the openldap srcs)
If I use openssl s_client to connect to my ldap server secure port I can only
connect if I use the -ssl2 or -no_tcl1 options.
The net is that our ldap box uses v3 ldap and v2 SSL. It apparently doesn't
like to work with anything else.
So, what can be done to alter the php ldap functions (and openldap libs?) so
that you can choose the SSL protocol to use when connecting?
Interestingly enough the openssl man s_client man page has this to say:
By default the initial handshake uses a
method which should be compatible with all servers and
permit them to use SSL v3, SSL v2 or TLS as
appropriate.
Unfortunately there are a lot of ancient and broken
servers in use which cannot handle this technique and
will fail to connect. Some servers only work if TLS is
turned off with the -no_tls option others will only
support SSL v2 and may need the -ssl2 option.
Based on this warning it would seem like a bad choice for the openldap libs
to hard code sslv23 functionality. (All though working around the problem so
broken servers can stay gainfully employed also sucks.)
-- Scott
On Tue, May 22, 2001 at 04:45:33AM +0200, Stig Venaas wrote:
> On Mon, May 21, 2001 at 07:48:27PM -0400, Scott Russell wrote:
> > Using php 4.0.4pl1 with ssl and ldap support I'm connecting to a secure ldap
> > server. I want to be able to specify which level of ssl support I use,
> > either ssl1, ssl2, or ssl3. By default it appears as if php is trying to
> > connect using ssl3 which on my server fails during the ssl handshake.
> >
> > How can I tell the ldap_connect() / ldap_bind() functions to use ssl2 instead?
>
> All the work is done by the LDAP library, PHP just calls the LDAP library
> with ldaps://hostname, and the library does the rest. You would need to
> specify it in ldap.conf or something if at all possible.
>
> There was a problem with SSL/TLS and SASL in OpenLDAP. This should be
> fixed in 2.0.8, perhaps you should try without SASL if your library is
> compiled with SASL support. I've never had to care about ssl versions,
> I thought that should be worked out automatically.
>
> Stig
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
Scott
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
