[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#7397) SSL problem
Full_Name: zhang fan
Version: 2.3.43
OS: RHEL5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (202.108.130.138)
Hi Jon
I am an FVT member of CSTL system Z LDAP team .
Now I was configuring openldap with SSL support . But one problem came
out and now I asked for your help .Thank you very much.
My ldap server can work well before setting SSL .
the ssl related option in slapd.conf is
TLSCipherSuite ALL
TLSCACertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
TLSVerifyClient never
and I use openssl to test connection .
[root@zosmf07 ~]# openssl s_client -connect zosmf07.cn.ibm.com:636 -showcerts -s
tate -CAfile
/etc/pki/tls/certs/slapd.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
7587:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake fa
ilure:s23_clnt.c:583:
the server debug log look like this
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:1009
But when I issue openssl s_server to start the 636 port ,the ssl
handshake can get success.
[root@zosmf07 ~]# openssl s_server -accept 636 -cert
/etc/pki/tls/certs/slapd.pem -key /etc/pki/tls/certs/slapd.pem -state
Using default temp DH parameters
ACCEPT
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOQQgwtPmka9K2vuA3Eg6Vu8ZBGOIGiq2RVQBAR7/U//dIf4E
MDXZOmotMZFmCsIV+5448cYBMN5zTGe6FJeVHxdu9KuEe0BYnZ69LW/GbLmNyemk
4KEGAgRQWUytogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is DHE-RSA-AES256-SHA
Secure Renegotiation IS supported
Thank you very much for your help .This problem botherred me for two weeks .I
tried many method but can't deal it .Thank you.
ps: the above is a self-signed certificate . I tried CA , the same problem came
out