[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: What version of OpenSSL is required for OpenLDAP 2.4.35

To: Ashwin Kumar <ashwinkumark10@gmail.com>, openldap-technical@openldap.org
Subject: Re: What version of OpenSSL is required for OpenLDAP 2.4.35
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Fri, 14 Jun 2013 09:19:03 -0700
Content-disposition: inline
In-reply-to: <CAN4SqyJTw46=kyKox2Jk8xU6jSRaAAxvaP=tEowUn-A__tUnog@mail.gmail.com>
References: <CAN4SqyJTw46=kyKox2Jk8xU6jSRaAAxvaP=tEowUn-A__tUnog@mail.gmail.com>

--On Friday, June 14, 2013 5:22 PM +0530 Ashwin Kumar<ashwinkumark10@gmail.com> wrote:


I am compiling OpenLDAP 2.4.35 with OpenSSL 1.0.0a. The compilation and
building the library works fine.Â


However, when I am using the OpenLDAP client "ldapsearch" the tool fails
with these errors:



[root@xMachine openldap-2.4.35]# ./ldaplib/bin/ldapsearch -H
ldaps://192.168.1.51:10636 -d 5
ldap_url_parse_ext(ldaps://192.168.1.51:10636)
ldap_create
ldap_url_parse_ext(ldaps://192.168.1.51:10636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.1.51:10636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.51:10636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:Â
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:error in SSLv3 read server hello B
TLS trace: SSL_connect:error in SSLv3 read server hello B
TLS: can't connect: error:1411809D:SSL
routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list.
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:1411809D:SSL
routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list


1. Why does this happen?
2. Is it the issue with the OpenSSL 1.0.0a?


Looks that way.

3. What is the minimum version of OpenSSL required to build the LDAP
clients?Â

I know it works with at least 0.9 series. I'm not sure why you are usingsuch an ancient version of OpenSSL to build with OpenLDAP, given thenumerous security vulnerabilities it has. I personally use the latest(1.0.1e).


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- What version of OpenSSL is required for OpenLDAP 2.4.35
  - From: Ashwin Kumar <ashwinkumark10@gmail.com>

Prev by Date: Re: password policy error: Password policy only allows one password value
Next by Date: Re: translucent overlay and "orphaned" local entry when remote entry moves
Index(es):
- Chronological
- Thread