Hello,

After upgrading RHEL from 5.8 to 5.11 , ldap user could not connect with ssl = on , showing below error:

TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /DC=CA/DC=CN/CN=CN PRD ISSUING CA1, issuer: /DC=CA/DC=CN/CN=CN PRD ROOT CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server key exchange A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert write:fatal:bad record mac
TLS trace: SSL_connect:error in SSLv3 read finished A
TLS trace: SSL_connect:error in SSLv3 read finished A
TLS: can't connect.
ldap_err2string

ldap user with ssl = off can connect through ldap users

openldap and openssl packages installed in the customer system are:

rpm -qa | grep openssh

openssh-server-6.1p1-1
openssh-clients-6.1p1-1
openssh-6.1p1-1

rpm -qa | grep openssl

openssl-libs-1.0.2h-1
openssl097a-0.9.7a-12.el5_10.1
openssl-0.9.8e-40.el5_11
openssl-fips-1.0.2h-1
openssl-libs-1.0.2h-1
openssl097a-0.9.7a-9.el5_4.2
openssl-0.9.8e-40.el5_11
openssl-fips-1.0.2h-1

rpm -qa |grep ldap

python-ldap-2.2.0-2.1
openldap-2.3.43-29.el5_11
mozldap-6.0.5-2.el5
openldap24-libs-2.4.23-5.el5
nss_ldap-253-52.el5_11.2
openldap-clients-2.3.43-29.el5_11
nss_ldap-253-52.el5_11.2
openldap-2.3.43-29.el5_11

Any pointers would be helpful

Thanks