Re: OpenLDAP TLS problem

[François Beretti <francois.beretti@enatel.com>]

Lukas Meyer a écrit :

> Hi list
>
> I'm trying to set up an OpenLDAP server with TLS support. I created 
> the needen certificates and added the essential lines to slapd.conf as 
> described in several howtos. But I get whatever I try the same error

hi,

what OS do you run OpenLDAP on ?
is your OpenLDAP compiled with OpenSSL or GNUTLS ?

I had a problem in the past that seemed to be due to GNUTLS

François

NB: I am not sure "Lists@OpenLDAP.org" is a good address to post at

> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL3 alert read:fatal:unknown CA
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown 
> ca /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052
> connection_read(9): TLS accept error error=-1 id=7, closing
> connection_closing: readying conn=7 sd=9 for close
> connection_close: conn=7 sd=9
> daemon: removing 9
> daemon: select: listen=8 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: select: listen=8 active_threads=0 tvp=NULL
>
>
> As explained in several mailinglist posts everything should work after 
> declaring the correct certificate through the TLS_CACERT variable. I 
> also created an .ldaprc file which contains this variable. But the 
> error occurs still.
>
> What else can I do to solve this problem? I very welcome any suggestions!
>
> Best regards
> Lukas