Check this discussion http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462588
seems that gnutls has different way of specifying ciphers to use. Also there is a mentioning of CN not matching FQDN in certificate. I was always happy just setting minssf value in slapd.conf. gp On Tue, Mar 31, 2009 at 10:38 PM, Maria McKinley <ma...@shadlen.org> wrote: > Predrag Gavrilovic wrote: > > Thanks for the troubleshooting hints, comments in line. > > Predrag Gavrilovic wrote: > >> Are you sure that problem is not related to something simple as file >> permissions on private key for server certificate? Because that is >> only an last time when I had problems with openldap and certificates. > > Permissions and ownership seem fine. > >> gnutls doesn't support TLS_CACERTDIR option, that is setting >> TLSCACertificatePath in slapd.conf. That means that CA certificates >> must reside in single file. update-ca-certificates can create that >> file for you. As far as I know that is main difference between using >> one or the other. > > I only have one CA certificate. I tried combining with my other certificate, > but this didn't help. Here is the info from my slapd.conf: > > # TLS encryption parameters (when I combined the certificates, I > # commented out the TLSCertificateFile line) > TLSCACertificateFile /etc/ldap/certs/ca-certificates.crt > TLSCertificateFile /etc/ldap/certs/ldap.shadlen.crt > TLSCertificateKeyFile /etc/ldap/certs/ldap.shadlen.key > TLSCipherSuite HIGH > >> Try stoping slapd, put certificate information in config file, and >> start slapd manualy with debugging "slapd -u openldap -g openldap -h >> ldapi:/// -d255". Are there more indicative error messages? > > Here is what I believe are the relevant lines > > TLS: could not set cipher list HIGH. > main: TLS init def ctx failed: -1 > slapd destroy: freeing system resources. > slapd stopped. > connections_destroy: nothing to destroy. > > Just in case, I have put the full output up on the web: > > http://www.shadlen.org/~maria/pmwiki/Work/Error-log > > Also, maybe this is helpful? > > test:~# openssl s_client -connect localhost:389 -showcerts > CONNECTED(00000003) > 13539:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > thanks for the help, > maria > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject > of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
