Update to libgnutls26-2.12.23-12ubuntu2.5 broke ldapsearch and Apache Directory Studio for me in particular. Whatever the previous version was worked fine. Now, when trying to connect via TLS or SSL to our ldap server, I get the following with gnutls-cli:
# gnutls-cli --print-cert -p 636 192.168.125.187
Connecting to '192.168.125.187:636'...
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
But, works fine with openssl:
# openssl s_client -connect 192.168.125.187:636 -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = MyZip, ST = GA, L = MyTown, street = MyStreetAddress, O = MyOrg, CN = 192.168.125.187
verify return:1
---
Certificate chain
0 s:/C=US/postalCode=MyZip/ST=MyState/L=MyTown/street=MyStreetAddress/O=MyOrg/CN=192.168.125.187
i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHIDCCBgigAwIBAgIQeJi0ZL9m+H676krkb1nDDDANBgkqhkiG9w0BAQsFADB2
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNTAyMDMwMDAwMDBaFw0xODAyMDIy
MzU5NTlaMIGaMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMzAzMjIxCzAJBgNVBAgT
AkdBMRAwDgYDVQQHEwdBdGxhbnRhMR0wGwYDVQQJExQxNzg0IE4gRGVjYXR1ciBS
ZCBORTEZMBcGA1UEChMQRW1vcnkgVW5pdmVyc2l0eTEiMCAGA1UEAxMZbGRzYXV0
aC5zZXJ2aWNlLmVtb3J5LmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAM1fBQTBn8MuVC07NkkR5nvQppHUOk7l8KOu0MFCnyTaQFE0lOC7k4cGcsHS
0LmKFPwDaMUsGs23ER5+TfBa9JRLfKVbgvF7Uqt3X9CwGnTJvLjest59mWd4oGZm
vKBPcV3WwkAGgC2UJKUcYrQXLp5yTAjlBhgmoz5ZKa2fIRS1jPWDI5Pn9yzssw5j
OIwuoHo68jocpz8sSIN3gQ6gIM+5rIs1rgJ/SVS40sRrtBAneP3Qnr6MF3DQrSYP
8TbkCAEjf4xYqVa5f3Oy8NdC2v4Jk7VVTDoiNDpEzFbLzoCI0NpYvZKWPx3l3xr/
jZoYM+Mi+rviCqW8M88KpxBoTf0CAwEAAaOCA4MwggN/MB8GA1UdIwQYMBaAFB4F
o3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBSJE3N+JO9Yhb3bxPnUC90OhJy0
xjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQDAQEwQjBABggr
BgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQvcmVwb3NpdG9y
eS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov
L2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVyQ0EuY3JsMHUG
CCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51c2VydHJ1c3Qu
Y29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wggHYBgNVHREEggHPMIIBy4IZbGRzYXV0aC5z
ZXJ2aWNlLmVtb3J5LmVkdYIZbGRzYXV0aHByb2QxLmNjLmVtb3J5LmVkdYIZbGRz
YXV0aHByb2QxLmV1LmVtb3J5LmVkdYIZbGRzYXV0aHByb2QyLmNjLmVtb3J5LmVk
dYIZbGRzYXV0aHByb2QyLmV1LmVtb3J5LmVkdYIZbGRzYXV0aHByb2QzLmNjLmVt
b3J5LmVkdYIZbGRzYXV0aHByb2QzLmV1LmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q0
LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q0LmV1LmVtb3J5LmVkdYIZbGRzYXV0
aHByb2Q1LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q1LmV1LmVtb3J5LmVkdYIZ
bGRzYXV0aHByb2Q2LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q2LmV1LmVtb3J5
LmVkdYIZbGRzYXV0aHByb2Q3LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q3LmV1
LmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q4LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHBy
b2Q4LmV1LmVtb3J5LmVkdTANBgkqhkiG9w0BAQsFAAOCAQEAYP3rmVUa7lz+aT1Z
qYNw+08WiM6zLJDTlDAH6bfMOifqOg42rNL4QiiAaldCSkvCjqS5nUwOyLjy3Mr1
1/77dJsuDxtUE7brhLyCRrktsQ4aytTrbTowPhJzOFKZaYZ0Bq/Im31N2IluGVRu
C1sqHsSCsYhv/qcxJkwXDA4/luH21Uc55RJvr2AcZ09qddo1UOMVpSfAM6fBooB+
0T0bOFoYXXpc7dGS6Ffwos2T9+LkFlPCBHWD7vPoLzywSbDK2mJVCWjELowVwX50
pKsD/8qFB22FZe3arjFRb17hkJERDyFrcrbUv84WAeM9gisskoloMORNWMc6BOFZ
+DSClw==
-----END CERTIFICATE-----
subject=/C=US/postalCode=MyZip/ST=MyState/L=MyTown/street=MyStreetAddress/O=MyOrg/CN=192.168.125.187
issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5340 bytes and written 489 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 9D3700003CBC5A44A8B0869C88E432ABD6DFAAEF4EC8268126E4DC6E8398E93B
Session-ID-ctx:
Master-Key: 34CD7A397FB10369831C94F74B048DF1CDE325B4207F15D0354F2487E2E7B697E477ACCA7D0214F98207820A1A4E5D30
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1457420252
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Update to libgnutls26- 2.12.23- 12ubuntu2. 5 broke ldapsearch and Apache Directory Studio for me in particular. Whatever the previous version was worked fine. Now, when trying to connect via TLS or SSL to our ldap server, I get the following with gnutls-cli:
# gnutls-cli --print-cert -p 636 192.168.125.187 125.187: 636'...
Connecting to '192.168.
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
But, works fine with openssl:
# openssl s_client -connect 192.168.125.187:636 -CApath /etc/ssl/certs/ postalCode= MyZip/ST= MyState/ L=MyTown/ street= MyStreetAddress /O=MyOrg/ CN=192. 168.125. 187 US/ST=MI/ L=Ann Arbor/O= Internet2/ OU=InCommon/ CN=InCommon RSA Server CA Internet2/ OU=InCommon/ CN=InCommon RSA Server CA CN=USERTrust RSA Certification Authority CN=USERTrust RSA Certification Authority SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root BAgIQeJi0ZL9m+ H676krkb1nDDDAN BgkqhkiG9w0BAQs FADB2 VUzELMAkGA1UECB MCTUkxEjAQBgNVB AcTCUFubiBBcmJv cjES 0ZXJuZXQyMREwDw YDVQQLEwhJbkNvb W1vbjEfMB0GA1UE AxMW BIFNlcnZlciBDQT AeFw0xNTAyMDMwM DAwMDBaFw0xODAy MDIy wCQYDVQQGEwJVUz EOMAwGA1UEERMFM zAzMjIxCzAJBgNV BAgT HEwdBdGxhbnRhMR 0wGwYDVQQJExQxN zg0IE4gRGVjYXR1 ciBS EChMQRW1vcnkgVW 5pdmVyc2l0eTEiM CAGA1UEAxMZbGRz YXV0 tb3J5LmVkdTCCAS IwDQYJKoZIhvcNA QEBBQADggEPADCC AQoC uVC07NkkR5nvQpp HUOk7l8KOu0MFCn yTaQFE0lOC7k4cG csHS 3ER5+TfBa9JRLfK VbgvF7Uqt3X9CwG nTJvLjest59mWd4 oGZm UJKUcYrQXLp5yTA jlBhgmoz5ZKa2fI RS1jPWDI5Pn9yzs sw5j sSIN3gQ6gIM+ 5rIs1rgJ/ SVS40sRrtBAneP3 Qnr6MF3DQrSYP 5f3Oy8NdC2v4Jk7 VVTDoiNDpEzFbLz oCI0NpYvZKWPx3l 3xr/ rviCqW8M88KpxBo Tf0CAwEAAaOCA4M wggN/MB8GA1UdIw QYMBaAFB4F GrHEADOc4MB0GA1 UdDgQWBBSJE3N+ JO9Yhb3bxPnUC90 OhJy0 EBAMCBaAwDAYDVR 0TAQH/BAIwADAdB gNVHSUEFjAUBggr BgEF HAwIwZwYDVR0gBG AwXjBSBgwrBgEEA a4jAQQDAQEwQjBA Bggr 0cHM6Ly93d3cuaW 5jb21tb24ub3JnL 2NlcnQvcmVwb3Np dG9y kZjAIBgZngQwBAg IwRAYDVR0fBD0wO zA5oDegNYYzaHR0 cDov vbi1yc2Eub3JnL0 luQ29tbW9uUlNBU 2VydmVyQ0EuY3Js MHUG wZzA+BggrBgEFBQ cwAoYyaHR0cDovL 2NydC51c2VydHJ1 c3Qu uUlNBU2VydmVyQ0 FfMi5jcnQwJQYIK wYBBQUHMAGGGWh0 dHA6 0cnVzdC5jb20wgg HYBgNVHREEggHPM IIBy4IZbGRzYXV0 aC5z 5LmVkdYIZbGRzYX V0aHByb2QxLmNjL mVtb3J5LmVkdYIZ bGRz 1LmVtb3J5LmVkdY IZbGRzYXV0aHByb 2QyLmNjLmVtb3J5 LmVk yb2QyLmV1LmVtb3 J5LmVkdYIZbGRzY XV0aHByb2QzLmNj LmVt zYXV0aHByb2QzLm V1LmVtb3J5LmVkd YIZbGRzYXV0aHBy b2Q0 kdYIZbGRzYXV0aH Byb2Q0LmV1LmVtb 3J5LmVkdYIZbGRz YXV0 tb3J5LmVkdYIZbG RzYXV0aHByb2Q1L mV1LmVtb3J5LmVk dYIZ 2LmNjLmVtb3J5Lm VkdYIZbGRzYXV0a HByb2Q2LmV1LmVt b3J5 0aHByb2Q3LmNjLm Vtb3J5LmVkdYIZb GRzYXV0aHByb2Q3 LmV1 ZbGRzYXV0aHByb2 Q4LmNjLmVtb3J5L mVkdYIZbGRzYXV0 aHBy 5LmVkdTANBgkqhk iG9w0BAQsFAAOCA QEAYP3rmVUa7lz+ aT1Z TlDAH6bfMOifqOg 42rNL4QiiAaldCS kvCjqS5nUwOyLjy 3Mr1 rhLyCRrktsQ4ayt TrbTowPhJzOFKZa YZ0Bq/Im31N2Ilu GVRu qcxJkwXDA4/ luH21Uc55RJvr2A cZ09qddo1UOMVpS fAM6fBooB+ S6Ffwos2T9+ LkFlPCBHWD7vPoL zywSbDK2mJVCWjE LowVwX50 arjFRb17hkJERDy FrcrbUv84WAeM9g isskoloMORNWMc6 BOFZ /C=US/postalCod e=MyZip/ ST=MyState/ L=MyTown/ street= MyStreetAddress /O=MyOrg/ CN=192. 168.125. 187 /C=US/ST= MI/L=Ann Arbor/O= Internet2/ OU=InCommon/ CN=InCommon RSA Server CA AES256- SHA384 AES256- SHA384 4A8B0869C88E432 ABD6DFAAEF4EC82 68126E4DC6E8398 E93B 9831C94F74B048D F1CDE325B4207F1 5D0354F2487E2E7 B697E477ACCA7D0 214F98207820A1A 4E5D30
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = MyZip, ST = GA, L = MyTown, street = MyStreetAddress, O = MyOrg, CN = 192.168.125.187
verify return:1
---
Certificate chain
0 s:/C=US/
i:/C=
1 s:/C=US/ST=MI/L=Ann Arbor/O=
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/
i:/C=
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHIDCCBgigAwI
MQswCQYDVQQGEwJ
MBAGA1UEChMJSW5
SW5Db21tb24gUlN
MzU5NTlaMIGaMQs
AkdBMRAwDgYDVQQ
ZCBORTEZMBcGA1U
aC5zZXJ2aWNlLmV
ggEBAM1fBQTBn8M
0LmKFPwDaMUsGs2
vKBPcV3WwkAGgC2
OIwuoHo68jocpz8
8TbkCAEjf4xYqVa
jZoYM+Mi+
o3ePbJbiW4dLprS
xjAOBgNVHQ8BAf8
BQcDAQYIKwYBBQU
BgEFBQcCARY0aHR
eS9jcHNfc3NsLnB
L2NybC5pbmNvbW1
CCsGAQUFBwEBBGk
Y29tL0luQ29tbW9
Ly9vY3NwLnVzZXJ
ZXJ2aWNlLmVtb3J
YXV0aHByb2QxLmV
dYIZbGRzYXV0aHB
b3J5LmVkdYIZbGR
LmNjLmVtb3J5LmV
aHByb2Q1LmNjLmV
bGRzYXV0aHByb2Q
LmVkdYIZbGRzYXV
LmVtb3J5LmVkdYI
b2Q4LmV1LmVtb3J
qYNw+08WiM6zLJD
1/77dJsuDxtUE7b
C1sqHsSCsYhv/
0T0bOFoYXXpc7dG
pKsD/8qFB22FZe3
+DSClw==
-----END CERTIFICATE-----
subject=
issuer=
---
No client certificate CA names sent
---
SSL handshake has read 5340 bytes and written 489 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-
Session-ID: 9D3700003CBC5A4
Session-ID-ctx:
Master-Key: 34CD7A397FB1036
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1457420252
Timeout : 300 (sec)
Verify return code: 0 (ok)
---