[Techtalk] debian slapd and gnutls

Fri Mar 27 00:58:07 UTC 2009

I have been trying to get ldap to work with tls for a while, and have 
been having a hard time. When I have the certificate info in slapd.conf, 
slapd refuses to start, giving me the error:

main: TLS init def ctx failed: -1

With the certificate lines commented out, slapd starts with no problem, 
of course. I've done a bunch of poking about, and the problem seems to 
be related to the change in the way slapd is built in debian. With 
Lenny, debian slapd is built with libgnutls instead of openssl. 
Unfortunately, all of the instructions I can find for setting up 
certificates for debian slapd use openssl. How do I get certificates 
made with openssl to work with slapd now that it is build with 
libgnutls, or is there another way to make certificates now? And how do 
I verify that my certificates are built correctly using libgnutls? It 
seems to be set up correctly, but I'm not sure how to test the 
certificates themselves:

test:/etc/ssl/certs# gnutls-cli -l :High
Cipher suites:
TLS_ANON_DH_ARCFOUR_MD5                           	0x00, 0x18	SSL3.0
TLS_ANON_DH_3DES_EDE_CBC_SHA1                     	0x00, 0x1b	SSL3.0
TLS_ANON_DH_AES_128_CBC_SHA1                      	0x00, 0x34	SSL3.0
TLS_ANON_DH_AES_256_CBC_SHA1                      	0x00, 0x3a	SSL3.0
TLS_ANON_DH_CAMELLIA_128_CBC_SHA1                 	0x00, 0x46	TLS1.0
TLS_ANON_DH_CAMELLIA_256_CBC_SHA1                 	0x00, 0x89	TLS1.0
TLS_PSK_SHA_ARCFOUR_SHA1                          	0x00, 0x8a	TLS1.0
TLS_PSK_SHA_3DES_EDE_CBC_SHA1                     	0x00, 0x8b	TLS1.0
TLS_PSK_SHA_AES_128_CBC_SHA1                      	0x00, 0x8c	TLS1.0
TLS_PSK_SHA_AES_256_CBC_SHA1                      	0x00, 0x8d	TLS1.0
TLS_DHE_PSK_SHA_ARCFOUR_SHA1                      	0x00, 0x8e	TLS1.0
TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1                 	0x00, 0x8f	TLS1.0
TLS_DHE_PSK_SHA_AES_128_CBC_SHA1                  	0x00, 0x90	TLS1.0
TLS_DHE_PSK_SHA_AES_256_CBC_SHA1                  	0x00, 0x91	TLS1.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1                     	0xc0, 0x1a	TLS1.0
TLS_SRP_SHA_AES_128_CBC_SHA1                      	0xc0, 0x1d	TLS1.0
TLS_SRP_SHA_AES_256_CBC_SHA1                      	0xc0, 0x20	TLS1.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1                 	0xc0, 0x1c	TLS1.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1                 	0xc0, 0x1b	TLS1.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1                  	0xc0, 0x1f	TLS1.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1                  	0xc0, 0x1e	TLS1.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1                  	0xc0, 0x22	TLS1.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1                  	0xc0, 0x21	TLS1.0
TLS_DHE_DSS_ARCFOUR_SHA1                          	0x00, 0x66	TLS1.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1                     	0x00, 0x13	SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1                      	0x00, 0x32	SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1                      	0x00, 0x38	SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1                 	0x00, 0x44	TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1                 	0x00, 0x87	TLS1.0
TLS_DHE_RSA_3DES_EDE_CBC_SHA1                     	0x00, 0x16	SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1                      	0x00, 0x33	SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1                      	0x00, 0x39	SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1                 	0x00, 0x45	TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1                 	0x00, 0x88	TLS1.0
TLS_RSA_NULL_MD5                                  	0x00, 0x01	SSL3.0
TLS_RSA_EXPORT_ARCFOUR_40_MD5                     	0x00, 0x03	SSL3.0
TLS_RSA_ARCFOUR_SHA1                              	0x00, 0x05	SSL3.0
TLS_RSA_ARCFOUR_MD5                               	0x00, 0x04	SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1                         	0x00, 0x0a	SSL3.0
TLS_RSA_AES_128_CBC_SHA1                          	0x00, 0x2f	SSL3.0
TLS_RSA_AES_256_CBC_SHA1                          	0x00, 0x35	SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA1                     	0x00, 0x41	TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA1                     	0x00, 0x84	TLS1.0
Certificate types: X.509, OPENPGP
Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2
Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, 
ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL
MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL
Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, 
SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK
Compression: DEFLATE, NULL

Thank you,
maria