I've been having a hell of a time enabling LDAPS on my Zimbra servers... I have a Zimbra OpenSource installation with two slave LDAP servers. I want to enable SSL on all the LDAP servers with the same GoDaddy *.domain.com (wildcard) certificate we have installed in Zimbra for its WebUI and IMAP services. I've been having a hell of a time getting this to work and am now starting to wonder if its even possible... I can easily get LDAP running, but as soon as I set TLSVerifyClient to 'demand', even ldapsearches fail. They validate the certificates just fine, but then have a problem with the SSLv3 encryption.

slapd.conf settings:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/certs/ca.pem
TLSCertificateFile /etc/certs/server.crt
TLSCertificateKeyFile /etc/certs/server.key
TLSVerifyClient demand

/etc/openldap/ldap.conf settings:
ssl start_tls
TLS_CACERT /etc/certs/ca.pem
TLS_CACERTDIR /etc/certs
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSVerifyClient never


output of an ldapsearch with -ZZ and ldaps://

ldap_initialize( ldaps://localhost )
ldap_create
ldap_url_parse_ext(ldaps://localhost)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 3, err: 0, subject: /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com, issuer: /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
TLS certificate verification: depth: 2, err: 0, subject: /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority, issuer: /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=1234, issuer: /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=California/L=Mountain View/O=My Org, Inc./OU=My Domain/CN=*.domain.com, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=1234
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure



Any ideas? We're pretty suck here...