Page MenuHome GnuPG

error accessing ldaps key server (TLS vs. STARTTLS)
Closed, ResolvedPublic



I'm having trouble accessing a key server with the LDAPS protocol, e.g. LDAP over TLS on port 636.

When dirmngr connects to ldaps://ourinternalkeyserver/, it first send a STARTTLS command and the server software rejects it because it expects the client to first establish a TLS connection. It seems that dirmngr only handles TLS if the connection is initially unencrypted and switched to TLS dynamically with the STARTTLS mecanism.

I think that ldaps:// URLs should be handled differently than ldap:// + STARTTLS.

Can anyone reproduce this problem? It should be enough to configure an OpenLDAP key server with ldaps on port 636. Unfortunately I can only test on an old PGP Universal Server. I checked that a simple ldapsearch can retrieve data :

ldapsearch -H ldaps:// -b "o=Searchable PGP keys" -x -v -LLL "pgpUserID=*e*"

Also, both openssl s_client -host -port 636 and gnutls-cli --verbose report that they can successfully establish a TLS connection to the server (so both openssl and gnutls accept the server certificate as trusted).

A tcpdump shows the rejected STARTTLS command (pasted from WireShark : 0\35\2\1\1w\30\200\0261.


3.5.8 (Debian stretch)

Event Timeline

werner renamed this task from error accessing ldaps key server to error accessing ldaps key server (TLS vs. STARTTLS).Apr 17 2018, 8:38 PM
werner triaged this task as Normal priority.

Thanks for looking into this issue :-)

I can reproduce it and test patches.

werner claimed this task.
werner added a project: Too Old.
werner added a subscriber: werner.

The code has meanwhile been reworked and the mentioned test server is not anymore available