<p>Run tcpdump on the connection. It sounds like the handshake failed but you need more data to verify.</p>
<div class="gmail_quote">On Dec 8, 2011 8:21 PM, "John Heim" <<a href="mailto:john@johnheim.net">john@johnheim.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
I have an openldap server that suddenly stopped accepting TLS connections.<br>
One minute, I could do an ldapsearch against it with TLS and the next I<br>
couldn't. I was trying to write an update script at the time. But could a<br>
corrupt database calse TLS to fail?<br>
<br>
ldapsearch -x -ZZ -H ldap://<a href="http://hubble.example.com" target="_blank">hubble.example.com</a> "uid=jheim"<br>
<br>
That command hangs. Does not exit. And the logs say "TLS negotiation<br>
failure". But it used to work. If there is something wrong with my cert, why<br>
did it used to work? I even rebooted the ldap server, no joy.<br>
<br>
=== before ---<br>
Dec 8 13:43:06 hubble slapd[28456]: conn=45701 fd=33 ACCEPT from<br>
IP=<a href="http://144.92.166.12:41021" target="_blank">144.92.166.12:41021</a> (IP=<a href="http://0.0.0.0:389" target="_blank">0.0.0.0:389</a>)<br>
Dec 8 13:43:06 hubble slapd[28456]: conn=45701 op=0 EXT<br>
oid=1.3.6.1.4.1.1466.20037<br>
Dec 8 13:43:06 hubble slapd[28456]: conn=45701 op=0 STARTTLS<br>
Dec 8 13:43:06 hubble slapd[28456]: conn=45701 op=0 RESULT oid= err=0 text=<br>
Dec 8 13:43:06 hubble slapd[28456]: conn=45701 fd=33 TLS established<br>
tls_ssf=128 ssf=128<br>
Dec 8 13:43:06 hubble slapd[28456]: conn=45701 op=1 BIND<br>
dn="cn=root,ou=ldapusers,dc=math,dc=wisc,dc=edu" method=128<br>
<br>
=== After ===<br>
Dec 8 19:04:43 hubble slapd[3521]: conn=1006 fd=18 ACCEPT from<br>
IP=<a href="http://144.92.166.12:37619" target="_blank">144.92.166.12:37619</a> (IP=<a href="http://0.0.0.0:389" target="_blank">0.0.0.0:389</a>)<br>
Dec 8 19:04:43 hubble slapd[3521]: conn=1006 op=0 EXT<br>
oid=1.3.6.1.4.1.1466.20037<br>
Dec 8 19:04:43 hubble slapd[3521]: conn=1006 op=0 STARTTLS<br>
Dec 8 19:04:43 hubble slapd[3521]: conn=1006 op=0 RESULT oid= err=0 text=<br>
Dec 8 19:05:07 hubble slapd[3521]: conn=1006 fd=18 closed (TLS negotiation<br>
failure)<br>
<br>
<br>
root@hubble:~/tmp# dpkg -p slapd<br>
Package: slapd<br>
Priority: optional<br>
Section: net<br>
Installed-Size: 4092<br>
Maintainer: Debian OpenLDAP Maintainers<br>
<pkg-openldap-devel@lists.alioth.debian.<br>
org><br>
Architecture: amd64<br>
Source: openldap<br>
Version: 2.4.25-3<br>
Replaces: ldap-utils (<< 2.2.23-3), libldap2<br>
Provides: ldap-server, libslapi-2.4-2<br>
Depends: libc6 (>= 2.12), libdb5.1, libgcrypt11 (>= 1.4.6), libgnutls26 (>=<br>
2.12<br>
.6.1-0), libldap-2.4-2 (= 2.4.25-3), libltdl7 (>= 2.4), libperl5.12 (>=<br>
5.12.4),<br>
libsasl2-2, libslp1, libwrap0 (>= 7.6-4~), unixodbc (>= 2.2.11), coreutils<br>
(>=<br>
4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser, lsb-base<br>
(>= 3<br>
.2-13), libdb4.8 (>= 4.8.30)<br>
Pre-Depends: debconf (>= 0.5) | debconf-2.0, multiarch-support<br>
Recommends: libsasl2-modules<br>
Suggests: ldap-utils<br>
Conflicts: ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd<br>
Size: 1643524<br>
Description: OpenLDAP server (slapd)<br>
This is the OpenLDAP (Lightweight Directory Access Protocol) server<br>
(slapd). The server can be used to provide a standalone directory<br>
service.<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>