On Wed, May 28, 2008 at 1:01 PM, Philip Guenther <
guenther+ldapsoft@sendmail.com> wrote:
On Wed, 28 May 2008, Michael Ströder wrote:
Adam Leach wrote:
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580
Looks like your client trys to negotiate the SSLv23 protocol variant and your server does not accept this. You might have a look at the client's configuration to enforce SSLv3 or TLSv1. You should avoid using SSLv2 for security reasons anyway.
"SSLv23" is OpenSSL's name for the version negotiation code, handling the choice between SSLv2, SSLv3, and TLSv1. Support for specific versions can be disabled using the SSL_{,CTX_}set_options() functions...which OpenLDAP doesn't call. With that ruled out, it looks from the OpenSSL code that the "unknown protocol" error would only be generated when the client sent something that didn't look like either the SSLv2 format or the SSLv3/TLS format, such as if it sent normal LDAP on the ldaps port.
Philip Guenther