On 06/05/2014 05:57 AM, Amos Jeffries wrote:
On 4/06/2014 9:14 p.m., Jose-Marcio Martins wrote:
On 06/03/2014 08:00 PM, Amos Jeffries wrote:
On 3/06/2014 8:23 a.m., Jose-Marcio Martins wrote:
What do you see running it manually with that command line?
Good hint. The same thing, see below. And problem solved !!!
If its crashing you could also try running it under a debugger to find
out why.
In fact it doesn't crash. It terminates as this is the normal behavior
of the helper when TLS connection fails.
In fact the problem comes from outside the helper. TLS connection fails
because openldap libraries do check the validity of server certificate.
Although it's a valid certificate, it fails... 8-(
The solution is to put this lines in /etc/openldap/ldap.conf :
TLS_REQCERT never
TLS_CRLCHECK none
Maybe it could be a good idea to force this from inside the helper as
ldap.conf is a server wide configuration and, for some people, not so
easy to debug.
If anyone wants to produce a patch the helper definitely needs to print
an error message about the TLS failure.
OK. I'll put this in my todo list. I'm working on anoter helper (acl/redirect), and can spend some
time here.
Disabling TLS like that is generaly not the right thing to do though.
Yes, because it's a server wide.
Some more debugging is needed to find out why the cert is valid and
still failing verification.
Yes, a more verbose message.
In this case, what can be done, I guess, is to get the error result from the "ldap_start_tls_s" call
and pass it to "ldap_error" to get the human readable version of the error and add it to the the
current error message. I can do this. For a more verbose message, one can need tools like strace.
In *my particular case* :
Perhapse the LDAP server or Squid machine TLS/SSL library needs updating?
No. It's an up to date fedora box with quite recent openssl library.
or the ca-certificates set used by one of them?
Ha, ha... It's an official and still valid certificate (Comodo), but the chain doesn't seem to be
present inside fedora stock...
or just a tweak of the acceptible ciphersuites?
Not in my case.
Worst case regenerating the "valid" cert using up-to-date ciphers and
key lengths may be necessary if it is a very old cert.
Amos
--
Envoyé de ma machine à écrire.
---------------------------------------------------------------
Spam : Classement statistique de messages électroniques -
Une approche pragmatique
Chez Amazon.fr : http://amzn.to/LEscRu ou http://bit.ly/SpamJM
---------------------------------------------------------------
Jose Marcio MARTINS DA CRUZ http://www.j-chkmail.org
Ecole des Mines de Paris http://bit.ly/SpamJM
60, bd Saint Michel 75272 - PARIS CEDEX 06
