I am also having problems with Hardy slapd 2.4.9-0ubuntu0.8.04.2 and TLS. It seems OpenLDAP on Hardy is now compiled against GnuTLS, and not OpenSSL as it was in old versions.
I've created x509 certificates and signed them against our company CA. These work perfectly for Apache on Hardy (adding the CA cert to by browser shows connection to Apache as working and verified). Experiments with gnutls-cli show the following: 1) Connecting to Apache on port 443 shows TLS success, connected via TLS 1.0: Processed 1 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving '***'... Connecting to '10.1.2.100:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: # The hostname in the certificate matches '***'. # valid since: Fri Feb 6 14:36:14 EST 2009 # expires at: Sun Feb 6 14:36:14 EST 2011 # fingerprint: 7E:C2:AF:1B:75:7A:CB:0F:17:A6:10:8C:8B:1C:52:2B # Subject's DN: *** # Issuer's DN: *** - Certificate[1] info: # valid since: Tue Dec 5 13:42:33 EST 2006 # expires at: Mon Dec 5 13:49:02 EST 2011 # fingerprint: D5:63:08:F0:9C:E2:BB:47:35:EF:06:15:EF:54:DA:D8 # Subject's DN: *** # Issuer's DN: *** - Peer's certificate is trusted - Version: TLS 1.0 - Key Exchange: DHE RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed 2) Connection to gnutls-serv on port 5556 shows TLS success, connected via TLS 1.1 Processed 1 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving '***'... Connecting to '10.1.2.100:5556'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: # The hostname in the certificate matches '***'. # valid since: Fri Feb 6 14:36:14 EST 2009 # expires at: Sun Feb 6 14:36:14 EST 2011 # fingerprint: 7E:C2:AF:1B:75:7A:CB:0F:17:A6:10:8C:8B:1C:52:2B # Subject's DN: *** # Issuer's DN: *** - Peer's certificate is trusted - Version: TLS 1.1 - Key Exchange: DHE RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed - Simple Client Mode: 3) Connection to slapd on ldaps:// port 636 shows: Processed 1 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving '***'... Connecting to '10.1.2.100:636'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received. Using ldapsearch on plain-text ldap:/// port 389 works fine. ldapsearch on ldaps:/// returns errors. Running slapd in debug mode shows various errors, including similar "TLS packet of unexpected length" errors: client: ldapsearch -x -H ldaps://localhost:636 -D "***" -w "***" server: >>> slap_listener(ldaps:///) connection_get(13): got connid=1 connection_read(13): checking for input on id=1 connection_read(13): TLS accept failure error=-1 id=1, closing connection_closing: readying conn=1 sd=13 for close connection_close: conn=1 sd=13 -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
