[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: moznss, gnutls, openssl

To: openldap-technical@openldap.org
Subject: Re: moznss, gnutls, openssl
From: Matt Dainty <matt@bodgit-n-scarper.com>
Date: Fri, 24 Apr 2015 06:23:56 -0400
Content-disposition: inline
In-reply-to: <5537C332.8050809@uoregon.edu>
References: <5537C332.8050809@uoregon.edu>
User-agent: Mutt/1.4.2.2i

* Chuck Theobald <chuckt@uoregon.edu> [2015-04-23 22:34:31]:
> What is the current wisdom regarding which tls library to use?
> 
> I've got a version 2.4.39 installation on RHEL 6.6 for which I cannot 
> get tls to work. I end up with the "TLS: can't connect: TLS error 
> -5938:Encountered end of file." error. Likely a misconfiguration of 
> moznss, though I followed one set of directions using certutil, but lack 
> the proper setting for my ldap TLSCACertificateFile.
> 
> My Debian-based ldap servers run with either openssl or gnutls.

I've managed to get the stock RHEL 6/7 2.4.39 packages to work with the
standard PEM-encoded certificates/keys generated by OpenSSL without
needing to convert them into the NSS-specific format.

My TLS settings are simply:

olcTLSCACertificateFile: /etc/openldap/certs/ca.crt
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
olcTLSCipherSuite: HIGH
olcTLSProtocolMin: 3.1

Also check if you have SELinux enabled that these files are labelled
with the correct context as that can be a source of phantom errors.

HTH

Matt

References:
- moznss, gnutls, openssl
  - From: Chuck Theobald <chuckt@uoregon.edu>

Prev by Date: Re: solaris ssh key passwordless login openldap,
Next by Date: Re: Antw: Re: Different contextCSN on multi-master replication servers
Index(es):
- Chronological
- Thread