I have problems using OpenCA to upload certificates on an LDAP Server
(openldap), using TLS port 636. First of all, I have no problems with
clear text port 389. Changing config to use port 636, I get the
following (SSL) error from OpenCA (trying to upload CA cert.):
Adding valid CA-certificates to the LDAP server ...
Certificate 0 FAILED (error 81: LDAP-bind failed: Can't contact LDAP server)
The LDAP Server answers:
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 30 1d 02 01 01 77 18 80 16 31 2e 0....w...1.
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
connection_read(10): TLS accept error error=-1 id=5, closing
The problem seems to be in the version of the SSL/TLS protocol which is
not recognized correctly by the LDAP from the OpenCA handshake request.
I've spent a LOT of time looking for every LDAP configuration file in
OpenCA, and the only variable I found about versions is in ldap.xml (and
is set to 3, as expected to work with TLSv1 = SSLv3).
I'm not posting any configuration file, because I don't really know
which one to post, tell me if I missed some information or if you need
thanx a lot in advance, diego
Secure Edge - your safety .net
Via Benedetto Croce, 19 - 00142 Roma
Tel. +39 06 54223164
fax +39 06 5430607