[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mirrormode and cn=config



Mathieu MILLET wrote:
On Wed, 25 Mar 2009 15:09:09 +0100, Peter Mogensen <apm@mutex.dk> wrote:
I have problem with SASL/EXTERNAL and TLS. The server can't seem to find the client certificate. I'm using slapd from Debian Lenny and Ubuntu Hardy, and it's probably due to GnuTLS problems.
I get error from slapd like:
"TLS: can't accept: A TLS packet with unexpected length was received.."

Oh ... forget this one. I found the reason for this. It was my fault.

"unable to get TLS client DN, error=-4 id=0"
Are GnuTLS just completely broken on Debian Lenny or can this be made to work?

Which version of OpenLDAP are you using ? If using 2.4.15, the ldap "client" libs have broken SASL/EXTERNAL implementation. These libs are also used for consumer to connect to provider.

2.4.9-0ubuntu0.8.0
I haven't checked which upstream version the patches makes it equivalent to though.


Doing: ldapwhoami -YEXTERNAL -H ldaps://server:389/
I'm stepping through the SSL handshake with wireshark and it seems to get all the way through to the servers ChangeChipherSpec/Finish stage after which the client sends a TCP FIN,ACK.


slapd output is:
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
connection_read(10): unable to get TLS client DN, error=-4 id=11
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
ber_get_next
ber_get_next on fd 10 failed errno=0 (Success)
connection_closing: readying conn=11 sd=10 for close
connection_close: conn=11 sd=10


According to wireshark it's TLSv1.1.
I think I read somewhere that GnuTLS don't like that, but I can't figure out how do downgrade to TLSv1.0


/Peter