stunnel(tls)/ldapsearch but no ldapsearch(tls)

[Andrew C Altepeter <aaltepet@cs.und.edu>]

Hello everybody!

Still struggling with ldapsearch, and I have just made an interersting
observation that I would like you to chew on:

I have the latest versions of openssl (compiled with rsaref and shared),
and openldap (compiled --with-tls --enable-shared).

My client machine has the follow in ldap.conf (the important stuff)
host xyz:636
ssl yes
sslpath /etc/openldap/certs/cert7.db

my ldap server us being run with the following:
slapd -u ldap -h ldaps:/// -d 65535

now, from the client, if I try a standard ldapsearch, I get the following
error from the server:

TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  30 0c 02 01 01 60 07 02  01 03 04                  0....`.....
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:565
connection_read(15): TLS accept error error=-1 id=21, closing


Now, if I turn on stunnel on the client with the followng options:

stunnel -c -d 9636  -r xyz:636 -f

and set the host localhost:9636 in the client ldap.conf,
everything works just peachy!

On the client, both stunnel and openldap were compiled from source with
the same openssl libraries.

I can absolutely not figure this one out.  Does openldap use the openssl
libraries in a different way than stunnel?  If so, why am I seemingly the
only one with this ssl client unknown protocol error?

Does anybody have any advice here, other than just using stunnel on my
client machines?

Thanks in advance,
Andy