ldap client: gnutls problem
Hello list,
I have ran into a problem with apache and Openldap which I pinned down
to gnutls.
I have a LDAP server set up with TLS (it also runs Debian) but
connecting to it turns out to be a problem. It works fine for local or
unencrypted connections but from another Debian box it doesn't. Behold
ldapsearch:
ldapsearch -d 1 -x -H ldaps://ahostname -D 'cn=admin,dc=correct' -w
'lll' '(cn=admin)'
ldap_url_parse_ext(ldaps://ahostname)
ldap_create
ldap_url_parse_ext(ldaps://ahostname:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ahostname:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Connceting from a box running another distro works better:
ldap_url_parse_ext(ldaps://ahostname)
ldap_create
ldap_url_parse_ext(ldaps://ahostname:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ahostname:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
... etc etc.
Difference is, on Debian everything appears to be compiled with GnuTLS
(including Openldap and Apache) whereas on the other distros I've tried
Openssl is used.
So the obvious solution would be to use openssl but I suppose this would
mean recompiling the Apache package - which may not be ideal from a
stability viewpoint or to keep up wit security updates.
Would it be possible to install the certificate on the client side
(=Apache) and somehow suggest it to trust the certificate?
Reply to: