Hi, ldapsearch with an ldaps-URL stopped working recently, probably with the update from openssl 1.0.0 to openssl 1.0.1. On a server with up-to-date packages (openssl-1.0.1e-16.el6_5.x86_64, openldap-clients-2.4.23-32.el6_4.1.x86_64) I get the following errors when issuing an ldapsearch (some parts anonymized): [bad]# ldapsearch -H "ldaps://ldap.domain.org:6636/" -D <binddn> -x -W -b <searchbase> -d1 -s sub -v "uid=ME" ldap_url_parse_ext(ldaps://ldap.domain.org:6636/) ldap_initialize( ldaps://ldap.domain.org:6636/??base ) ldap_create ldap_url_parse_ext(ldaps://ldap.domain.org:6636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.domain.org:6636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 12.34.56.78:6636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error. TLS: error: connect - force handshake failure: errno 0 - moznss error -12226 TLS: can't connect: TLS error -12226:SSL peer rejected a handshake message for unacceptable content.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [bad]# while on a system with slightly older OpenSSL package (openssl-1.0.0-27.el6_4.2.x86_64, same openldap-clients package version), I get the following error: [good]# ldapsearch -H "ldaps://ldap.domain.org:6636/" -D <binddn> -x -W -b <searchbase> -d1 -s sub -v "uid=me" ldap_url_parse_ext(ldaps://ldap.domain.org:6636/) ldap_initialize( ldaps://ldap.domain.org:6636/??base ) ldap_create ldap_url_parse_ext(ldaps://ldap.domain.org:6636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.domain.org:6636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 12.34.56.78:6636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: certdb config: configDir='/etc/openldap' tokenDescription='ldap(0)' certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error. TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found. TLS: certificate [CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. TLS: error: connect - force handshake failure: errno 2 - moznss error -8172 TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [good]# It /does/ see the certificate, even though it has a problem with it. Since I know the LDAP server is trustable - despite the certificate issue -, I can work around it with "TLS_REQCERT never" in /etc/openldap/ldap.conf or by prefixing the ldapsearch line with "LDAPTLS_REQCERT=never": [good]# LDAPTLS_REQCERT=never ldapsearch -H "ldaps://ldap.domain.org:6636/" -D <binddn> -x -W -b <searchbase> -d1 -s sub -v "uid=me" ldap_url_parse_ext(ldaps://ldap.domain.org:6636/) ldap_initialize( ldaps://ldap.domain.org:6636/??base ) ldap_create ldap_url_parse_ext(ldaps://ldap.domain.org:6636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.domain.org:6636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 12.34.56.78:6636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: certdb config: configDir='/etc/openldap' tokenDescription='ldap(0)' certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error. TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found. TLS: certificate [CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. TLS certificate verification: subject: CN=ldap.domain.org,OU=Domain Control Validated,C=DE, issuer: CN=GlobalSign Domain Validation CA - G2,O=GlobalSign nv-sa,C=BE, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0 [... ldapsearch results here ...] [good]# If I do the same on the system with OpenSSL 1.0.1e, I get the same error as w/o this setting. It could be a problem with the OpenSSL 1.0.1 package - hopefully not - or just a configuration issue. I just have no idea which one. Any pointer is highly appreciated. Cheers frank