@Martin Pitt: Ok, here's all the stuff: $ ldapsearch -x -b 'dc=ini,dc=uzh,dc=ch' uid=stephan -H ldap://ldap.ini.uzh.ch -ZZ -d7 ldap_url_parse_ext(ldap://ldap.ini.uzh.ch) ldap_create ldap_url_parse_ext(ldap://ldap.ini.uzh.ch:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.ini.uzh.ch:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.16.3.220:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x6121b0 msgid 1 wait4msg ld 0x6121b0 msgid 1 (infinite timeout) wait4msg continue ld 0x6121b0 msgid 1 all 1 ** ld 0x6121b0 Connections: * host: ldap.ini.uzh.ch port: 389 (default) refcnt: 2 status: Connected last used: Wed Apr 1 10:27:29 2009 ** ld 0x6121b0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x6121b0 request count 1 (abandoned 0) ** ld 0x6121b0 Response Queue: Empty ld 0x6121b0 response count 0 ldap_chkResponseList ld 0x6121b0 msgid 1 all 1 ldap_chkResponseList returns ld 0x6121b0 NULL ldap_int_select read1msg: ld 0x6121b0 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 78 07 0a 0....x.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x6121b0 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x6121b0 0 new referrals read1msg: mark request completed, ld 0x6121b0 msgid 1 request done: ld 0x6121b0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree tls_write: want=82, written=82 0000: 16 03 02 00 4d 01 00 00 49 03 02 49 d3 25 71 2b ....M...I..I.%q+ 0010: 1e 5d fd 39 7b 4b 7f 7e 6a ac 75 04 40 44 e5 db .].9{K.~j.u.@D.. 0020: 94 7a e8 71 c5 8f 15 3b 21 e9 16 00 00 18 00 39 .z.q...;!......9 0030: 00 33 00 16 00 38 00 32 00 13 00 66 00 35 00 2f .3...8.2...f.5./ 0040: 00 0a 00 05 00 04 02 01 00 00 07 00 09 00 03 02 ................ 0050: 00 01 .. tls_read: want=5, got=5 0000: 16 03 01 00 4a ....J tls_read: want=74, got=74 0000: 02 00 00 46 03 01 49 d3 25 6c 7c 54 63 e1 09 a6 ...F..I.%l|Tc... 0010: 4d 29 bc 73 64 5c 63 38 ce fe 5e 54 59 16 e1 2c M).sd\c8..^TY.., 0020: a2 e2 18 21 98 4d 20 79 d0 68 1a 46 fe e5 b4 a2 ...!.M y.h.F.... 0030: 18 7a bc 8a 62 6d 6e a5 7b c1 1d 04 09 1e 58 45 .z..bmn.{.....XE 0040: 19 35 79 5b 5b 7f 5d 00 35 00 .5y[[.].5. tls_read: want=5, got=5 0000: 16 03 01 04 bc ..... tls_read: want=1212, got=1212 0000: 0b 00 04 b8 00 04 b5 00 02 58 30 82 02 54 30 82 .........X0..T0. 0010: 01 bd 02 09 00 d4 2e e5 49 19 c2 af 2a 30 0d 06 ........I...*0.. 0020: 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 6e 31 0b .*.H........0n1. 0030: 30 09 06 03 55 04 06 13 02 43 48 31 10 30 0e 06 0...U....CH1.0.. 0040: 03 55 04 08 13 07 5a 75 65 72 69 63 68 31 10 30 .U....Zuerich1.0 0050: 0e 06 03 55 04 07 13 07 5a 75 65 72 69 63 68 31 ...U....Zuerich1 0060: 0c 30 0a 06 03 55 04 0a 13 03 49 4e 49 31 10 30 .0...U....INI1.0 0070: 0e 06 03 55 04 0b 13 07 4c 44 41 50 20 43 41 31 ...U....LDAP CA1 0080: 1b 30 19 06 03 55 04 03 13 12 63 61 2e 6c 64 61 .0...U....ca.lda 0090: 70 2e 69 6e 69 2e 75 7a 68 2e 63 68 30 1e 17 0d p.ini.uzh.ch0... 00a0: 30 39 30 33 32 36 31 35 31 32 35 37 5a 17 0d 31 090326151257Z..1 00b0: 39 30 33 32 34 31 35 31 32 35 37 5a 30 6f 31 0b 90324151257Z0o1. 00c0: 30 09 06 03 55 04 06 13 02 43 48 31 10 30 0e 06 0...U....CH1.0.. 00d0: 03 55 04 08 13 07 5a 75 65 72 69 63 68 31 10 30 .U....Zuerich1.0 00e0: 0e 06 03 55 04 07 13 07 5a 75 65 72 69 63 68 31 ...U....Zuerich1 00f0: 0c 30 0a 06 03 55 04 0a 13 03 49 4e 49 31 14 30 .0...U....INI1.0 0100: 12 06 03 55 04 0b 13 0b 4c 44 41 50 20 53 65 72 ...U....LDAP Ser 0110: 76 65 72 31 18 30 16 06 03 55 04 03 13 0f 6c 64 ver1.0...U....ld 0120: 61 70 2e 69 6e 69 2e 75 7a 68 2e 63 68 30 81 9f ap.ini.uzh.ch0.. 0130: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 0...*.H......... 0140: 81 8d 00 30 81 89 02 81 81 00 e3 dd 81 27 ef 0a ...0.........'.. 0150: da b9 9a d5 de 78 63 8f a2 c7 5a 9a 45 9b 4e 13 .....xc...Z.E.N. 0160: de 2e 3f c0 3d 91 1d 25 fe 86 01 63 c8 18 42 65 ..?.=..%...c..Be 0170: c2 b4 7c 2c de db 7e f7 e8 93 a6 d0 b2 9b e2 f3 ..|,..~......... 0180: dc e9 5d b7 be 0b 60 b1 2d 69 3f a8 d8 f9 e3 90 ..]...`.-i?..... 0190: 72 2e 0d 31 3c 03 1e 0a 09 11 ef 23 6b d9 03 d8 r..1<......#k... 01a0: ff a3 72 36 a3 92 fd bb 36 d9 90 d2 31 10 26 b6 ..r6....6...1.&. 01b0: d0 b2 79 b1 72 57 ed 19 df 2f c6 85 b7 89 3d 26 ..y.rW.../....=& 01c0: 15 1b b4 92 18 03 44 11 c0 f3 02 03 01 00 01 30 ......D........0 01d0: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 ...*.H.......... 01e0: 81 00 5e 14 9c a7 31 ae 49 45 98 7e 86 6d 98 73 ..^...1.IE.~.m.s 01f0: b0 bd 6b 8a 2c 16 f8 cb 95 c8 dc 23 e9 d9 6f c0 ..k.,......#..o. 0200: bb a6 81 c0 85 8a ab fb f0 b8 61 d5 dc 40 a2 51 ..........a..@.Q 0210: b5 22 8c 8b 48 96 7e e4 5c 35 42 9f a1 9b db c5 ."..H.~.\5B..... 0220: b2 bb f1 e8 2a 7c f3 54 c8 ea 7a c1 32 e0 1d ba ....*|.T..z.2... 0230: f6 8d e2 84 4e dd ee a2 e0 91 d2 49 79 ee b9 e0 ....N......Iy... 0240: de 47 2e d7 82 8c 8b 6b 57 34 18 8e fb a6 e0 97 .G.....kW4...... 0250: ee 3f e0 08 95 5c 99 84 c5 e5 50 10 60 54 75 9e .?...\....P.`Tu. 0260: f4 52 00 02 57 30 82 02 53 30 82 01 bc 02 09 00 .R..W0..S0...... 0270: fd 30 91 50 d0 da c3 b5 30 0d 06 09 2a 86 48 86 .0.P....0...*.H. 0280: f7 0d 01 01 04 05 00 30 6e 31 0b 30 09 06 03 55 .......0n1.0...U 0290: 04 06 13 02 43 48 31 10 30 0e 06 03 55 04 08 13 ....CH1.0...U... 02a0: 07 5a 75 65 72 69 63 68 31 10 30 0e 06 03 55 04 .Zuerich1.0...U. 02b0: 07 13 07 5a 75 65 72 69 63 68 31 0c 30 0a 06 03 ...Zuerich1.0... 02c0: 55 04 0a 13 03 49 4e 49 31 10 30 0e 06 03 55 04 U....INI1.0...U. 02d0: 0b 13 07 4c 44 41 50 20 43 41 31 1b 30 19 06 03 ...LDAP CA1.0... 02e0: 55 04 03 13 12 63 61 2e 6c 64 61 70 2e 69 6e 69 U....ca.ldap.ini 02f0: 2e 75 7a 68 2e 63 68 30 1e 17 0d 30 39 30 33 32 .uzh.ch0...09032 0300: 36 31 35 31 30 30 36 5a 17 0d 31 39 30 33 32 34 6151006Z..190324 0310: 31 35 31 30 30 36 5a 30 6e 31 0b 30 09 06 03 55 151006Z0n1.0...U 0320: 04 06 13 02 43 48 31 10 30 0e 06 03 55 04 08 13 ....CH1.0...U... 0330: 07 5a 75 65 72 69 63 68 31 10 30 0e 06 03 55 04 .Zuerich1.0...U. 0340: 07 13 07 5a 75 65 72 69 63 68 31 0c 30 0a 06 03 ...Zuerich1.0... 0350: 55 04 0a 13 03 49 4e 49 31 10 30 0e 06 03 55 04 U....INI1.0...U. 0360: 0b 13 07 4c 44 41 50 20 43 41 31 1b 30 19 06 03 ...LDAP CA1.0... 0370: 55 04 03 13 12 63 61 2e 6c 64 61 70 2e 69 6e 69 U....ca.ldap.ini 0380: 2e 75 7a 68 2e 63 68 30 81 9f 30 0d 06 09 2a 86 .uzh.ch0..0...*. 0390: 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 H............0.. 03a0: 02 81 81 00 c1 c7 be 63 c4 ea da f0 ab fc 11 75 .......c.......u 03b0: d9 41 38 06 79 23 04 bf a6 61 3a 19 d2 83 93 39 .A8.y#...a:....9 03c0: eb 17 51 62 1b 22 fd 0f 79 cb 92 fb 0c a5 79 65 ..Qb."..y.....ye 03d0: 98 0a 92 00 1b 70 fe b7 ca a1 4e 44 48 64 55 41 .....p....NDHdUA 03e0: 6d a2 66 2d 36 5a 76 04 e5 b2 f5 e3 05 b7 07 85 m.f-6Zv......... 03f0: 6a 44 b9 9d c6 7b fe 7a 34 92 3d f2 39 92 f7 90 jD...{.z4.=.9... 0400: e3 64 9b bb 95 8d a6 08 53 ef 16 96 0d 60 ac ae .d......S....`.. 0410: 74 65 18 03 f0 ff 9a e7 59 d9 7b 8d 5a cd 9b 8e te......Y.{.Z... 0420: 1e d0 f2 6f 02 03 01 00 01 30 0d 06 09 2a 86 48 ...o.....0...*.H 0430: 86 f7 0d 01 01 04 05 00 03 81 81 00 aa d0 f9 11 ................ 0440: 73 95 76 7c 6d 56 d6 cf 86 37 19 57 d4 63 39 b4 s.v|mV...7.W.c9. 0450: b8 ff 43 96 d5 d5 37 ae e3 64 19 c2 51 59 06 b8 ..C...7..d..QY.. 0460: fd b3 10 15 f1 6e a0 df a4 99 54 e2 aa 2c 4e 6f .....n....T..,No 0470: 03 4e e4 d1 48 38 07 5d 39 ba d4 d5 16 a8 75 57 .N..H8.]9.....uW 0480: c3 82 ac 60 10 3f a2 96 ec b6 b5 b4 44 91 62 60 ...`.?......D.b` 0490: d0 5f 4a 71 ed cf 1a 02 dc 10 cc 12 a3 fd 46 d5 ._Jq..........F. 04a0: 50 80 e3 eb fc bf 78 24 a5 ad 90 03 22 e9 12 83 P.....x$...."... 04b0: 57 ba b5 b9 9d ae de b7 a6 40 67 20 W........@g tls_read: want=5, got=5 0000: 16 03 01 00 04 ..... tls_read: want=4, got=4 0000: 0e 00 00 00 .... tls_write: want=139, written=139 0000: 16 03 01 00 86 10 00 00 82 00 80 28 63 c6 56 40 ...........(c.V@ 0010: 23 e0 7c a2 5e f2 65 1b f7 52 2b bb 4c 0a bf 2e #.|.^.e..R+.L... 0020: 43 ab 31 76 d9 f7 95 89 d8 14 9d 4b 3f 3d 6e 93 C.1v.......K?=n. 0030: 85 bc 2b a9 9d 3e 34 89 98 f3 93 92 5b d1 54 c4 ..+..>4.....[.T. 0040: f2 86 38 a9 e9 04 13 ba 61 2c 24 a2 14 9b da 18 ..8.....a,$..... 0050: 3d a6 0c 14 72 2e 59 11 b0 d6 41 01 c4 c0 25 9f =...r.Y...A...%. 0060: 90 2e 2f de 5b 80 1e 0c c9 b2 6f ef a2 c8 4f a2 ../.[.....o...O. 0070: d6 f7 0a 07 df fd 61 ca 6a 75 0e 03 73 87 cd 65 ......a.ju..s..e 0080: d8 9b 16 e1 48 92 ad 3d 04 5e 28 ....H..=.^( tls_write: want=6, written=6 0000: 14 03 01 00 01 01 ...... tls_write: want=261, written=261 0000: 16 03 01 01 00 5b 80 13 93 db 80 5e 0f 64 7f 28 .....[.....^.d.( 0010: d7 8d 53 77 ed 3b 41 24 fa 82 a5 23 79 45 a8 cc ..Sw.;A$...#yE.. 0020: 7b 97 28 37 47 c6 7f 1d 7c a9 97 b4 41 26 86 85 {.(7G...|...A&.. 0030: 7a 02 6a ab e1 53 01 b6 77 8f 8f 8b 87 d7 18 f2 z.j..S..w....... 0040: f3 f5 57 a8 06 49 ae 5d 6e b0 ed 0f 7d a4 99 8a ..W..I.]n...}... 0050: 77 d9 71 c3 36 cf 1b 94 57 7a 18 0e 81 d2 31 89 w.q.6...Wz....1. 0060: 12 b8 6f 61 5f 29 ed c5 85 32 3f 77 ec ff 84 a9 ..oa_)...2?w.... 0070: 11 15 26 39 76 94 54 01 ca b4 71 33 ae a3 6a 8e ..&9v.T...q3..j. 0080: b2 90 0d 53 3d d2 5d c6 9b 81 26 43 35 21 11 4a ...S=.]...&C5!.J 0090: 7e a4 2a 7c f4 f2 5a 5e b6 4b de bd 1a 27 d7 fd ~.*|..Z^.K...'.. 00a0: d4 84 7d 94 c3 47 92 bc df a6 b0 5f 13 00 28 ec ..}..G....._..(. 00b0: e6 84 90 f1 7f da 57 c2 82 e2 10 b2 90 d6 3a 6b ......W.......:k 00c0: ce 58 56 e1 ca c3 54 1e 82 94 84 58 e4 e5 97 43 .XV...T....X...C 00d0: d7 fe d5 0a 48 83 3e ce 25 79 a7 05 8b 0e ee fe ....H.>.%y...... 00e0: f2 43 90 4a c8 5f 0e 44 db bb e0 30 31 41 d3 a5 .C.J._.D...01A.. 00f0: 22 11 0c 8c 94 bf bf e1 07 02 19 a9 b5 27 dd 68 "............'.h 0100: 45 dc 97 57 44 E..WD tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 01 00 30 ....0 tls_read: want=48, got=48 0000: eb 49 a2 66 26 84 e9 b0 83 67 1b 06 26 45 cc 81 .I.f&....g..&E.. 0010: 9a ac 10 73 b4 47 57 16 2f 53 6a 31 81 1f 8b ec ...s.GW./Sj1.... 0020: b5 3c a9 0e c6 9e 40 3e 22 d4 42 10 5d 72 fb b1 .<....@>".B.]r.. TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_start_tls: Connect error (-11) $ gnutls-cli --x509cafile /etc/ssl/ca.crt -p 636 ldap.ini.uzh.ch Processed 1 CA certificate(s). Resolving 'ldap.ini.uzh.ch'... Connecting to '172.16.3.220:636'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: # The hostname in the certificate matches 'ldap.ini.uzh.ch'. # valid since: Thu Mar 26 16:12:57 CET 2009 # expires at: Sun Mar 24 16:12:57 CET 2019 # fingerprint: 85:DC:41:56:F7:A0:DC:9A:D6:D1:C6:8D:26:41:60:22 # Subject's DN: C=CH,ST=Zuerich,L=Zuerich,O=INI,OU=LDAP Server,CN=ldap.ini.uzh.ch # Issuer's DN: C=CH,ST=Zuerich,L=Zuerich,O=INI,OU=LDAP CA,CN=ca.ldap.ini.uzh.ch - Certificate[1] info: # valid since: Thu Mar 26 16:10:06 CET 2009 # expires at: Sun Mar 24 16:10:06 CET 2019 # fingerprint: B9:EF:76:2B:CD:2B:D4:5A:FF:08:AD:E6:9C:18:3E:0D # Subject's DN: C=CH,ST=Zuerich,L=Zuerich,O=INI,OU=LDAP CA,CN=ca.ldap.ini.uzh.ch # Issuer's DN: C=CH,ST=Zuerich,L=Zuerich,O=INI,OU=LDAP CA,CN=ca.ldap.ini.uzh.ch - Peer's certificate is NOT trusted - Version: TLS 1.0 - Key Exchange: RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: NULL *** Verifying server certificate failed... So it looks like it's because gnutls thinks the certificate is not trusted. However, it's the same ca cert as the one used on the ldap server: -----BEGIN CERTIFICATE----- MIICUzCCAbwCCQD9MJFQ0NrDtTANBgkqhkiG9w0BAQQFADBuMQswCQYDVQQGEwJD SDEQMA4GA1UECBMHWnVlcmljaDEQMA4GA1UEBxMHWnVlcmljaDEMMAoGA1UEChMD SU5JMRAwDgYDVQQLEwdMREFQIENBMRswGQYDVQQDExJjYS5sZGFwLmluaS51emgu Y2gwHhcNMDkwMzI2MTUxMDA2WhcNMTkwMzI0MTUxMDA2WjBuMQswCQYDVQQGEwJD SDEQMA4GA1UECBMHWnVlcmljaDEQMA4GA1UEBxMHWnVlcmljaDEMMAoGA1UEChMD SU5JMRAwDgYDVQQLEwdMREFQIENBMRswGQYDVQQDExJjYS5sZGFwLmluaS51emgu Y2gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMHHvmPE6trwq/wRddlBOAZ5 IwS/pmE6GdKDkznrF1FiGyL9D3nLkvsMpXllmAqSABtw/rfKoU5ESGRVQW2iZi02 WnYE5bL14wW3B4VqRLmdxnv+ejSSPfI5kveQ42Sbu5WNpghT7xaWDWCsrnRlGAPw /5rnWdl7jVrNm44e0PJvAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAqtD5EXOVdnxt VtbPhjcZV9RjObS4/0OW1dU3ruNkGcJRWQa4/bMQFfFuoN+kmVTiqixObwNO5NFI OAddObrU1RaodVfDgqxgED+iluy2tbREkWJg0F9Kce3PGgLcEMwSo/1G1VCA4+v8 v3gkpa2QAyLpEoNXurW5na7et6ZAZyA= -----END CERTIFICATE-----