[Techtalk] debian slapd and gnutls
Maria McKinley
maria at shadlen.org
Thu May 21 08:52:00 UTC 2009
Wim De Smet wrote:
> Hi,
>
> On Wed, Apr 1, 2009 at 10:49 AM, Maria McKinley <maria at shadlen.org> wrote:
>> increased logging doesn't seem to give more relevant info, but have
>> published the messages, just in case:
>>
>> http://www.shadlen.org/~maria/pmwiki/Work/Error-log
>
> I think this is the relevant line though:
> TLS: could not set cipher list HIGH.
> Some of the cipher name are different between gnutls and openssl.
> Probably the ldap server conf has a line with the ciphers somewhere
> that includes names gnutls knows nothing about?
>
> regards,
> Wim
I cannot believe how slow and painful this has been. I finally have
slapd running, with tls settings in place. Wim had the clue for one
problem. HIGH does not work with gnutls, you have to specify the
ciphers. Here is what I ended up with:
TLSCipherSuite TLS_DHE_RSA_AES_256_CBC_SHA
TLSCipherSuite TLS_RSA_3DES_EDE_CBC_SHA1
The other problem is that gnutls only accepts version 3 certificates,
and I could not figure out how to create the certificate that is used to
sign other certificates so that it is version 3. So finally, I ran
across this website:
http://www.cacert.org/
I had them sign my certificate, and used their CAcert, and now I can
start slapd when TLS is enabled!
Unfortunately, my troubles still are not over. It appears I still can't
actually use tls. When I try an ldapsearch that enforces tls (-ZZ), I get
ldap_start_tls: Connect error (-11)
and in the logfile:
unable to get TLS client DN, error=49 id=0
I have played a bunch with various settings in ldap.conf, and have
searched with google on this error, and tried every suggestion I've
found, but I can't get it to work. Any ideas?
thanks,
maria
More information about the Techtalk
mailing list