On Sun, 2010-02-28 at 11:22 -0700, Craig White wrote: > ---- > do you mean other than the fact that this simply talks about TLS Client > and that SSL is deprecated and generally ignored in the documentation? > > SSL communication is different than TLS. With all due respect deprecated doesn't mean broken. While SSL is different than TLS using "TLSVerifyClient allow" works on the server. For that matter so does "TLSVerifyClient demand". In fact if I use the latter configuration and do not provide a client certificate ldap_bind fails as expected. From what I can tell the server certificate is never passed to the client unless "TLSVerifyClient never" as seen from: > ldapsearch -d 1 -x -LLL -H ldaps://incoming.mric.net:636 "(uid=acaplan)" sn uid ldap_create ldap_url_parse_ext(ldaps://incoming.mric.net:636) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP incoming.mric.net:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 208.139.195.124:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support at cacert.org, issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support at cacert.org TLS certificate verification: depth: 0, err: 0, subject: /CN=incoming.mric.net, issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support at cacert.org TLS trace: SSL_connect:SSLv3 read server certificate A The client requests hangs because the LDAP server is not providing its certificate. I just found it strange that the communication process works fine as long as all the communication occurs on the server. I find it even stranger that the failure mode seems to be that the LDAP server doesn't pass its certificate to the client ... that seems really broke to me whether or not SSL is deprecated. In any event this is all moot because I am in the process of switching over to TLS. Thanks to everyone who helped sort this issue. -- Paul (ganci at nurdog.com)