[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS failures with OS X clients



> hex dumps snipped).  Is there any other debugging I can do to figure
> out why the first connection is rejected by slapd?

I {saw,do see} this.

conn=2906509 fd=65 ACCEPT from IP={OSX}:56362 (IP=0.0.0.0:636)
conn=2906509 fd=65 closed (TLS negotiation failure)

The debugging you can do, and I think I actually did start a while back,
is taking packet dumps and then pulling out the source
(www.opensource.apple.com.) I decided that it was nothing short of a
blessing that DSLDAPv3 was working in the first place (it has a long and
disgusting history of retrying passwords, and we use one-time tokens) and
let it go. All the clients do something goofy, and we have to deal with
it--RFC1123.

It'd still be cool to get this fixed. They use libldap, so it's probably
not even that hard. But filing a bug with Apple has been close to a joke
in my experience, and 90%+ of Mac mailing lists are at the point of "You
have to click the Lock icon to change Directory configurations." Thanks.
If somebody can point me to a mailing list with an Apple DirectoryService
committer on it, maybe there's progress to be had on this. Otherwise...the
robustness principle continues to apply.