Hi,

I'm having trouble accessing a key server with the LDAPS protocol, e.g. LDAP over TLS on port 636.

When dirmngr connects to ldaps://ourinternalkeyserver/, it first send a STARTTLS command and the server software rejects it because it expects the client to first establish a TLS connection. It seems that dirmngr only handles TLS if the connection is initially unencrypted and switched to TLS dynamically with the STARTTLS mecanism.

I think that ldaps:// URLs should be handled differently than ldap:// + STARTTLS.

Can anyone reproduce this problem? It should be enough to configure an OpenLDAP key server with ldaps on port 636. Unfortunately I can only test on an old PGP Universal Server. I checked that a simple ldapsearch can retrieve data :

ldapsearch -H ldaps://pgpks.example.com:636 -b "o=Searchable PGP keys" -x -v -LLL "pgpUserID=*e*"

Also, both openssl s_client -host pgpks.example.com -port 636 and gnutls-cli --verbose pgpks.example.com:636 report that they can successfully establish a TLS connection to the server (so both openssl and gnutls accept the server certificate as trusted).

A tcpdump shows the rejected STARTTLS command (pasted from WireShark : 0\35\2\1\1w\30\200\0261.3.6.1.4.1.1466.20037).