OpenLDAP server logs filled with "TLS negotiation failure"

Posted by WildVelociraptor on Server Fault See other posts from Server Fault or by WildVelociraptor
Published on 2013-11-06T15:50:33Z Indexed on 2013/11/06 15:56 UTC
Read the original article Hit count: 277

Filed under:

openldap

|

tls

I recently migrated an old OpenLDAP setup to a newer server, with a more robust certificate setup. Currently, most hosts are required to verify the cert matches the host:

    tls_checkpeer yes
    TLS_REQCERT always

In the server logs, there are multiple occurences of:

    Nov  6 10:45:08 <servername> slapd[1773]: conn=2785646 fd=35 closed (TLS negotiation failure)

These errors appear from multiple hosts, but there don't seem to be any issues actually logging into those servers with an LDAP account. Does anyone know what would cause these errors?

The server is running Ubuntu 12.04.2, and OpenLDAP version 2.4.28. The cert was generated using GnuTLS.

© Server Fault or respective owner

Related posts about openldap

Can't install new database in OpenLDAP 2.4 with BDB on Debian

as seen on Server Fault - Search for 'Server Fault'
I'm trying to install an openldap server (slapd) on a Debian EC2 instance. I have followed all the instructions I can find, and am using the recommended slapd-config approach to configuration. It all seems to be just fine, except that for some reason it can't create my new database. ldap.conf.bak… >>> More
Installing openLDAP

as seen on Server Fault - Search for 'Server Fault'
I have followed installing openLDAP from http://www.openldap.org/doc/admin24/quickstart.html and follow the tasks up to # 9. when I run [ su root -c /usr/local/libexec/slapd ] it asks for password and after I type the password no indication of if server has been started or not. When I run [ ldapsearch… >>> More
Create Active Directory schema into OpenLDAP

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi Friends, I need to store Active Directory Data into OpenLDAP and for that I want to create the Active Directory schema into OpenLDAP. How to do it? >>> More
OpenLDAP on windows

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi Friends, I am looking for some way of implementing OpenLDAP on WindowsXP. Is this possible? If Yes thn please tell me how? >>> More
OpenLDAP and user role based accedss controll (RBAC)

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, my company uses an openldap server which stores corporate user information ((username,passwd and some other information like email are stored in ldap).. Till now they only use it for authentication but now we'd like to use for authentication also, this means that we'll create roles (as ldap… >>> More

Related posts about tls

OpenVPN Error : TLS Error: local/remote TLS keys are out of sync: [AF_INET]

as seen on Server Fault - Search for 'Server Fault'
Fist off thanks for reading this, I appreciate any and all suggestions. I am having some serious problems reconnecting to my OpenVPN client using Riseup.net's VPN. I have spent a few days banging my head against the wall in attempts to set this up on my iOS devices....but that is a whole other issue… >>> More
Using SSL on slapd

as seen on Server Fault - Search for 'Server Fault'
I am setting up slapd to use SSL on Fedora 14. I have the following in my /etc/openldap/slapd.d/cn=config.ldif: olcTLSCACertificateFile: /etc/pki/tls/certs/SSL_CA_Bundle.pem olcTLSCertificateFile: /etc/pki/tls/certs/mydomain.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/mydomain.key olcTLSCipherSuite:… >>> More
OpenLDAP, howto allow both secure (TLS) and unsecure (normal) connections?

as seen on Server Fault - Search for 'Server Fault'
Installed OpenLDAP 2.4 on FreeBSD 8.1. It works for ordinary connections OR for TLS connections. I can change it by (un)commenting the following lines in slapd.conf. # Enable TLS #security ssf=128 # Disable TLS security ssf=0 Is there a way to allow the clients to connect using TLS OR no-TLS… >>> More
Can't access Postfix TLS/SSL

as seen on Server Fault - Search for 'Server Fault'
I have set up my Postfix, with TLS/SSL, correctly. Every test on the machine itself (with telnet) runs fine. However, when I want to access the server from somewhere else, it fails. So port 587 and the rest is blocked for some reason, but I don't really know where. >>> More
Directory listing through FTPS (TLS) is not working

as seen on Server Fault - Search for 'Server Fault'
We recently switched our server to require TLS for every connection. This is working flawlessly so far, but one of our clients is having problems. Some facts: Server uses Pure-FTPD Server has a passive port range configured Server has no firewall limitations regarding the FTP Client uses WS FTP Client… >>> More