LDAPS and Sun/Netscape Proxy Server

["Henchey,Jean" <jeannie@mitre.org>]

I'm trying to use an openldap server to authenticate traffic going 
through a netscape proxy server -- which is now called Sun Java System 
Web Proxy Server 3.6 (SP6).  The idea is to use LDAPS on the front end 
of the openldap server and then send the request to a backend LDAPS 
server.  Looking at the documentation out there for the Sun proxy 
server, it seems like this should work.

With OpenLDAP, LDAP works perfectly fine, providing I allow LDAP_v2 in 
slapd.conf. 

I run into problems with LDAPS:

connection_get(8)
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 
s23_srvr.c:594


I'm pretty sure I've compiled openldap correctly.  I don't need Cyrus 
SASL, only the TLS piece.  I compiled openldap with these flags.  I only 
want to use a server cert, no client cert.

./configure --enable-debug --enable-ldap --disable-bdb 
--disable-cleartext --enable-md5 --with-tls --without-cyrus-sasl 
--disable-rlookups

For the client:
TLS_REQCERT allow

For the server:  I tried this with a self-signed certificate.
allow LDAP_v2
TLSVerifyClient never
..and the lines for the certificates.

I think I have compiled openldap correctly because an ldapsearch -Z 
yields the correct results.

What does SSL23_GET_CLIENT_HELLO:unknown protocol mean?

Is there a reason why an ldapsearch -Z would fail with a self-signed cert?

Has anyone tried to get LDAPS to work with the sun proxy server?  (I 
know this is a little bit out of the scope of the list, but I am hopeful 
maybe someone has encountered this before.)

I've RTFM'd a few times and googled different keywords to try to find an 
answer to these questions.  Any help/suggestions/spiritual guidance 
would be greatly appreciated.  Thanks for reading my posting.

Jean