🚀 go-pugleaf

RetroBBS NetNews Server

Inspired by RockSolid Light RIP Retro Guy

🏠 Home 📰 News 🗂️ Usenet 📚 Sections Search 🔑 Login
Thread View: gmane.linux.debian.user
2 messages
[T] Back to Threads [V] Tree View [G] Group Articles
2 total messages Started by Alessandro Baggi Sun, 14 Jun 2009 19:23
slapd + TLS Problem.
#307888
Author: Alessandro Baggi
Date: Sun, 14 Jun 2009 19:23
45 lines
1503 bytes 
Hi there. I've problem setting up SLAPD + TLS  and libnss-ldap.  When I
try to get the passwd entry with getent passwd I get the following error:

TLS: can't accept: A record packet with illegal version was received..
connection_read(13): TLS accept failure error=-1 id, closing

This is a certificate problem or libnss-ldap configuration problem? I've
also tested slapd and tls with gnutls-cli and openssl s_client and they
complete test successfully. I've also tested my certificate with openssl
verify, and also this test has been completed successfully. My
nsswitch.conf is configured with files and ldap.

Then, i've created my certificate with the following command:

# /usr/lib/ssl/misc/CA.pl -newca                   /* to create the ca
certificate and key*/

# openssl req -newkey rsa:1024 -nodes -keyout key.pem -out
newreq.pem                 /*for server/client certificate building and
sing*/
# /usr/lib/ssl/misc/CA.pl -sign


There's something that is wrong in certificate creation?

This is my libnss-ldap.conf configuration (only TLS and port parameters ):

uri ldap://PDC
port 389
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/certlibnss/cacert.cert
tls_ciphers TLSv1
tls_cert /etc/certlibnss/nsscert.pem
tls_key /etc/certlibnss/nsskey.pem


Openldap Util work fine with slapd and TLS but on ldaps port (636).
This is a bug or a mismatch configuration?


Thanks in advance.
Re: slapd + TLS Problem.
#307914
Author: Maria McKinley
Date: Sun, 14 Jun 2009 19:25
60 lines
2277 bytes 
Alessandro Baggi wrote:
> <div class="moz-text-flowed" style="font-family: -moz-fixed">Hi there.
> I've problem setting up SLAPD + TLS  and libnss-ldap.  When I try to get
> the passwd entry with getent passwd I get the following error:
>
> TLS: can't accept: A record packet with illegal version was received..
> connection_read(13): TLS accept failure error=-1 id, closing
>
> This is a certificate problem or libnss-ldap configuration problem? I've
> also tested slapd and tls with gnutls-cli and openssl s_client and they
> complete test successfully. I've also tested my certificate with openssl
> verify, and also this test has been completed successfully. My
> nsswitch.conf is configured with files and ldap.
>
> Then, i've created my certificate with the following command:
>
> # /usr/lib/ssl/misc/CA.pl -newca                   /* to create the ca
> certificate and key*/
>
> # openssl req -newkey rsa:1024 -nodes -keyout key.pem -out
> newreq.pem                 /*for server/client certificate building and
> sing*/
> # /usr/lib/ssl/misc/CA.pl -sign
>
>
> There's something that is wrong in certificate creation?
>
> This is my libnss-ldap.conf configuration (only TLS and port parameters ):
>
> uri ldap://PDC
> port 389
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile /etc/certlibnss/cacert.cert
> tls_ciphers TLSv1
> tls_cert /etc/certlibnss/nsscert.pem
> tls_key /etc/certlibnss/nsskey.pem
>
>
> Openldap Util work fine with slapd and TLS but on ldaps port (636).
> This is a bug or a mismatch configuration?
>
>
> Thanks in advance.
> </div>

I'm afraid this is not much help, but wanted to let you know you are not
alone. I struggled with problems with slapd and tls with lenny for quite
some time, and I finally decided that tls with openldap in debian is
still buggy, and gave up, planning on trying again in a month or so. It
seems the problem is something to do with debian switching from openssl
to guntls-cli, as things worked fine when debian was still using
openssl. With luck though, we both have something trivially wrong with
our configs, and someone else will chime in with an actual solution...

cheers,
maria
Thread Navigation

This is a paginated view of messages in the thread with full content displayed inline.

Messages are displayed in chronological order, with the original post highlighted in green.

Use pagination controls to navigate through all messages in large threads.

Back to All Threads