[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More on TLS problems



> Well, I found and fixed a number of problems:
> 	ldaps:// was catching SSL_Connect failure
> 	ldaps:// was not connecting on appropriate port
> 	SSL_connect was being called with SSL_VERIFY_PEER
> 	  even when disabled
> 
> Both ldaps:// and StartTLS appear to be working fine
> now for all devel client tools.
> 
> StartTLS error handling/reporting is a bit odd.  I
> may tune this later.
> 
> Please test these changes so we can kick out a 2.0.1.
> 
> Kurt
> 
> 

I've built the OpenLDAP head branch with OpenSSL and CYRUS-SASL.
One thing that slowed me down quite a bit was that 'make ldbm'
in the tests directory failed on test001-slapadd.  This is due
to the following at the top of ldapsearch.out:

    TLS: PRNG has not been seeded with enough data

which is due to not having a ~/.rnd file, since my operating system
(Alpha OSF) does not have a /dev/urandom device.  I was hoping the
above changes fixed this, but they have not.

Since the tools use -x, and there is no -Z option being passed to
ldapsearch, can the attempt to open this file be prevented, or is
is really necessary?

Randy