[ale] TLS suddenly stops working with slapd

Jim Kinney jim.kinney at gmail.com
Thu Dec 8 21:41:20 EST 2011 

Run tcpdump on the connection. It sounds like the handshake failed but you
need more data to verify.
On Dec 8, 2011 8:21 PM, "John Heim" <john at johnheim.net> wrote:

> Hi,
> I have an openldap server that suddenly stopped accepting TLS connections.
> One minute, I could do an ldapsearch against it with TLS and the next I
> couldn't. I was trying to write an update script at the time. But could a
> corrupt database calse TLS to fail?
>
> ldapsearch -x -ZZ -H ldap://hubble.example.com "uid=jheim"
>
> That command hangs. Does not exit. And the logs say "TLS negotiation
> failure". But it used to work. If there is something wrong with my cert,
> why
> did it used to work?  I even rebooted the ldap server, no joy.
>
> === before ---
> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 fd=33 ACCEPT from
> IP=144.92.166.12:41021 (IP=0.0.0.0:389)
> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=0 STARTTLS
> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=0 RESULT oid= err=0
> text=
> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 fd=33 TLS established
> tls_ssf=128 ssf=128
> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=1 BIND
> dn="cn=root,ou=ldapusers,dc=math,dc=wisc,dc=edu" method=128
>
> === After ===
> Dec  8 19:04:43 hubble slapd[3521]: conn=1006 fd=18 ACCEPT from
> IP=144.92.166.12:37619 (IP=0.0.0.0:389)
> Dec  8 19:04:43 hubble slapd[3521]: conn=1006 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> Dec  8 19:04:43 hubble slapd[3521]: conn=1006 op=0 STARTTLS
> Dec  8 19:04:43 hubble slapd[3521]: conn=1006 op=0 RESULT oid= err=0 text=
> Dec  8 19:05:07 hubble slapd[3521]: conn=1006 fd=18 closed (TLS negotiation
> failure)
>
>
> root at hubble:~/tmp# dpkg -p slapd
> Package: slapd
> Priority: optional
> Section: net
> Installed-Size: 4092
> Maintainer: Debian OpenLDAP Maintainers
> <pkg-openldap-devel at lists.alioth.debian.
> org>
> Architecture: amd64
> Source: openldap
> Version: 2.4.25-3
> Replaces: ldap-utils (<< 2.2.23-3), libldap2
> Provides: ldap-server, libslapi-2.4-2
> Depends: libc6 (>= 2.12), libdb5.1, libgcrypt11 (>= 1.4.6), libgnutls26 (>=
> 2.12
> .6.1-0), libldap-2.4-2 (= 2.4.25-3), libltdl7 (>= 2.4), libperl5.12 (>=
> 5.12.4),
>  libsasl2-2, libslp1, libwrap0 (>= 7.6-4~), unixodbc (>= 2.2.11), coreutils
> (>=
> 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser, lsb-base
> (>= 3
> .2-13), libdb4.8 (>= 4.8.30)
> Pre-Depends: debconf (>= 0.5) | debconf-2.0, multiarch-support
> Recommends: libsasl2-modules
> Suggests: ldap-utils
> Conflicts: ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd
> Size: 1643524
> Description: OpenLDAP server (slapd)
>  This is the OpenLDAP (Lightweight Directory Access Protocol) server
>  (slapd). The server can be used to provide a standalone directory
>  service.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20111208/014a02a8/attachment.html

More information about the Ale mailing list