Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 66053 invoked from network); 13 Jun 2006 16:38:45 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 13 Jun 2006 16:38:45 -0000 Received: (qmail 49510 invoked by uid 500); 13 Jun 2006 16:38:44 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 49465 invoked by uid 500); 13 Jun 2006 16:38:44 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 49446 invoked by uid 99); 13 Jun 2006 16:38:44 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Jun 2006 09:38:44 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [209.237.227.198] (HELO brutus.apache.org) (209.237.227.198) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Jun 2006 09:38:42 -0700 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 9D78971421B for ; Tue, 13 Jun 2006 16:37:30 +0000 (GMT) Message-ID: <14673688.1150216650642.JavaMail.jira@brutus> Date: Tue, 13 Jun 2006 16:37:30 +0000 (GMT+00:00) From: "Joe Ammann (JIRA)" To: dev@directory.apache.org Subject: [jira] Commented: (DIR-185) ldaps not working with gpg In-Reply-To: <16228620.1149681569862.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12416034 ] Joe Ammann commented on DIR-185: -------------------------------- If gpg is based on OpenLDAP, you might have to reduce the LDAP connection security checks that are applied by default. To lower the checks performance by OpenLDAP library, you can set properties in $HOME/.ldaprc TLS_CACERT /path/to/cacert.pem TLS_REQCERT never ldap.conf(5) has more detailed descriptions of the options. I tested this with the GQ client, and setting the appropriate options allowed me to connect with a LDAPS server with a self signed certiticate > ldaps not working with gpg > -------------------------- > > Key: DIR-185 > URL: http://issues.apache.org/jira/browse/DIR-185 > Project: Directory > Type: Bug > Components: miscellaneous > Environment: cygwin gpg (GnuPG) 1.4.1 > Reporter: Ralf Hauser > Assignee: Alex Karasulu > > when doing > myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v > gpg: searching for "micky -v" from ldaps server localhost > gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server > gpg: key "micky -v" not found on keyserver > gpg: keyserver internal error > gpg: keyserver search failed: keyserver error > on the server-side, I see > <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED > 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED > 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION: > javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed. > at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422) > at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494) > at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52) > at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761) > at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665) > at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421) > at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376) > Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782) > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566) > at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675) > at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492) > at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291) > at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390) > ... 6 more>> > it would be great to know what ca gpg is presenting or what other measures would make this work... -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira