------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1382
--- Comment #5 from alxgomz <alxgomz@???> 2013-09-10 01:01:09 ---
I have tried both patches but it doesn't fix the issue.
The debug still show "LDAP_OPT_X_TLS_TRY" regardless of the value of
ldap_require_cert = allow.
I have also tried the patch from the following page
https://gist.github.com/mrballcb/6501428, but that didn't help neither.
I have added a debug line before the ldap_start_tls_s line 534 in order to
check the options of the ldap connection:
...
#if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
527 /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support
this.
528 * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still
not
529 * export an ldap_start_tls_s symbol.
530 */
531 int cert_option;
532 ldap_get_option(lcp->ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
533 debug_printf("trying to connect using LDAP_OPT_X_TLS_REQUIRE_CERT = %d
\n", cert_option);
534 if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS)
535 {
536 *errmsg = string_sprintf("failed to initiate TLS processing on an "
537 "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
538 " %s", host, porttext, rc, ldap_err2string(rc));
539 goto RETURN_ERROR;
540 }
...
It seems to be set properly (according to ldap.h) from the the config file as I
get :
00:31:37 6469 3 set for cert_option
00:31:37 6469 binding with user=uid=exim,dc=middle,dc=earth password=eximmta
00:31:37 6469 trying to connect using LDAP_OPT_X_TLS_REQUIRE_CERT = 3
00:31:37 6469 failed to initiate TLS processing on an LDAP session to server
ldap.middle.earth:389 - ldap_start_tls_s() returned -11: Connect error
00:31:37 6469 lookup deferred: failed to initiate TLS processing on an LDAP
session to server ldap.middle.earth:389 - ldap_start_tls_s() returned -11:
Connect error
But as you can see I still get a connection error and checking the network dump
I see I have the following TLS alert: "Unknown CA", which shouldn't happen with
ldap_require_cert set to allow.
I cannot exclude any set up error on my side, but again, I have dovecot happily
doing ldap TLS against the same LDAP server (so with the same self signed
certificate) with similar configuration (tls = yes tls_require_cert = allow).
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email