--On Tuesday, August 08, 2006 9:52 PM -0600 "Berg, Michael"
<[EMAIL PROTECTED]> wrote:
This error is coming straight from the OpenSSL libraries.
Have you tried connecting with openssl s_client?
Yes.
I am running slapd listening on both ports 389 (using starttls) and port
636 (SSL only to support some software that doesn't support starttls).
As pointed out in my original bug report, I have run
"openssl s_client -connect 127.0.0.1:636"
to connect to the SSL only port.
When slapd is running as root, s_client successfully establishes a
connection. When slapd is running as non-root, I get the error messages
==========
25159:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1057:SSL alert number 40
25159:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
==========
The manual page for s_client says that the only supported keywords for the
"-starttls <protocol>" option are currently "smtp" and "pop3", so I can't
use s_client to test ldap port 389+starttls.
But "ldapsearch -x -ZZ" (which is configured to use port 389+starttls)
gives the following error message when slapd is running as non-root
Does it work if you use "-h localhost" (similar to what you were doing with
the openssl command)?
Generally, you must provide the fully qualified domain name to the "-h"
parameter for SSL/TLS to work.
For example, "-h ldap" doesn't work for me, but "-h ldap.stanford.edu" does.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
