Bug#462588: Same problem

2008-02-09 Thread T.A. van Roermund
Steve Langasek wrote: Please try setting 'TLSVerifyClient allow' in your slapd.conf, and let us know whether that fixes the problem for you. In my tests, I see that the default client certificate handling for 2.4.7 with GnuTLS does not match what's documented in the slapd.conf manpage; I think w

Bug#462588: Same problem

2008-02-07 Thread Steve Langasek
On Sun, Feb 03, 2008 at 05:29:47PM -0800, Russ Allbery wrote: > > I'm pretty sure I don't want to implement support for migrating the full set > > of OpenSSL cipher specs in shell. :P > > Do you think converting the above aliases would be good enough coverage? > > Or do we need to provide some upg

Bug#462588: Same problem

2008-02-03 Thread Russ Allbery
Steve Langasek <[EMAIL PROTECTED]> writes: > I'm pretty sure I don't want to implement support for migrating the full set > of OpenSSL cipher specs in shell. :P > > Do you think converting the above aliases would be good enough coverage? > Or do we need to provide some upgrade handling for all the

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem

2008-02-03 Thread Steve Langasek
On Wed, Jan 30, 2008 at 12:42:01AM +0100, T.A. van Roermund wrote: > So my FQDN ("server-timo.van-roermund", double checked with "hostname > -f") is now part of subjectAltName. However, it still doesn't work. Please try setting 'TLSVerifyClient allow' in your slapd.conf, and let us know whether

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem

2008-02-03 Thread Steve Langasek
A patch has been committed to the package svn tree to fix handling of cipher lists, which leaves this issue: On Tue, Jan 29, 2008 at 11:09:32AM -0800, Steve Langasek wrote: > I'm not sure if we should also try to migrate the OpenSSL-specific cipher > specs to GNUTLS equivalents as part of the pack

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem

2008-01-29 Thread T.A. van Roermund
Quanah Gibson-Mount wrote: That would be a problem if "server-timo.van-roermud.nl" is not in subjectAltName for the certs. I changed the certificate (self signed), it now looks like this (only the relevant parts): Certificate: Data: Signature Algorithm: sha1WithRSAEncr

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem

2008-01-29 Thread Russ Allbery
Quanah Gibson-Mount <[EMAIL PROTECTED]> writes: > I don't know why the previous debian package would have allowed it, > unless it was related to the old hacked libldap libraries (are those > replaced now?). They are, but they weren't used for the server anyway, so I'm not sure that explains it.

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem

2008-01-29 Thread Quanah Gibson-Mount
--On Tuesday, January 29, 2008 10:18 PM +0100 "T.A. van Roermund" <[EMAIL PROTECTED]> wrote: FQDN: server-timo.van-roermund.nl CN: van-roermund.nl Will that be the problem? If so, then the behaviour of GnuTLS *is* different from the behavious of OpenSSL. I will test it and let you know. Tha

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem

2008-01-29 Thread T.A. van Roermund
Quanah Gibson-Mount wrote: Ok. Does your certificate have a proper cn, matching the fqdn of your server? That's the only other case where I can reproduce the described behavior, but I don't know if that's a behavior change relative to the OpenSSL version. (I would have hoped that OpenSSL would

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem

2008-01-29 Thread Quanah Gibson-Mount
--On Tuesday, January 29, 2008 12:09 PM -0800 Steve Langasek <[EMAIL PROTECTED]> wrote: On Tue, Jan 29, 2008 at 08:27:03PM +0100, T.A. van Roermund wrote: Steve Langasek wrote: > Well, I can reproduce the problem when using this value for > TLSCipherSuite. But why would you set this value, rat

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Same problem

2008-01-29 Thread Steve Langasek
On Tue, Jan 29, 2008 at 08:27:03PM +0100, T.A. van Roermund wrote: > Steve Langasek wrote: > > Well, I can reproduce the problem when using this value for TLSCipherSuite. > > But why would you set this value, rather than leaving TLSCipherSuite blank > > to use the default? I don't see the point of

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Same problem

2008-01-29 Thread Quanah Gibson-Mount
--On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek <[EMAIL PROTECTED]> wrote: Anyway, the documented syntax for TLSCipherSuite is "$cipher1:$cipher2", not "$cipher1 $cipher2"; but setting such values gives me a hang on startup (which should be investigated). Filed upstream:

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem

2008-01-29 Thread T.A. van Roermund
Steve Langasek wrote: Well, I can reproduce the problem when using this value for TLSCipherSuite. But why would you set this value, rather than leaving TLSCipherSuite blank to use the default? I don't see the point of listing *all* the cipher types if you don't intend to exclude some of them.

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem

2008-01-29 Thread Steve Langasek
On Sat, Jan 26, 2008 at 12:33:28PM +0100, T.A. van Roermund wrote: > # all cipher suites as currently supported by gnutls, > # constructed using command: > # gnutls-cli -l | grep -E "^TLS" | cut -d\ -f1 | xargs echo > TLSCipherSuite TLS_ANON_DH_ARCFOUR_MD5 TLS_ANON_DH_3DE

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem

2008-01-27 Thread T.A. van Roermund
Quanah Gibson-Mount wrote: Have you verified that port 636 is open? I.e., telnet localhost 636 The port is open: $ telnet localhost 636 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. And: $ netstat --listening --numeric --program | gre

Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem

2008-01-26 Thread Quanah Gibson-Mount
--On Saturday, January 26, 2008 12:33 PM +0100 "T.A. van Roermund" <[EMAIL PROTECTED]> wrote: Quanah Gibson-Mount wrote: Have you verified whether or not you can connect using LDAPS via the command line tools? (ldapsearch, ldapwhoami, etc). Yes I did: $ ldapsearch -H ldaps://localho

Bug#462588: [Pkg-openldap-devel] Bug#462588: Same problem

2008-01-26 Thread T.A. van Roermund
Quanah Gibson-Mount wrote: Have you verified whether or not you can connect using LDAPS via the command line tools? (ldapsearch, ldapwhoami, etc). Yes I did: $ ldapsearch -H ldaps://localhost:636/ -X cn=admin ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) The rel

Bug#462588: [Pkg-openldap-devel] Bug#462588: Same problem

2008-01-25 Thread Quanah Gibson-Mount
--On Saturday, January 26, 2008 1:01 AM +0100 "T.A. van Roermund" <[EMAIL PROTECTED]> wrote: Hi, I have the same problem. Following your suggestion, I listed all the cipher suites using "gnutls-cli -l" and tried all of them. Now, slapd does start, but still Thunderbird cannot connect to the da

Bug#462588: Same problem

2008-01-25 Thread T.A. van Roermund
Hi, I have the same problem. Following your suggestion, I listed all the cipher suites using "gnutls-cli -l" and tried all of them. Now, slapd does start, but still Thunderbird cannot connect to the daemon, no matter which cipher suite was selected. Regards, Timo -- To UNSUBSCRIBE, emai