[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems using TLS



Hello everybody!

I am working on converting my companies authentication system over to
openldap.
I have my ldap database up and running, and am able to use the migration
tools to port over all of our users.  Also, I am able to authenticate to
this database via the linux workstations/servers (RH7.1) and on our
solaris 8 servers using unencrypted connection (ldap://port 389).
However, being our company has over 5,000 users, keeping security in mind
I would like to get ssl/tls working in openldap.  I can compile openldap
with tls support (./configure --with-tls) and have no problems.  However,
when I set up slapd to run ldaps (slapd -h ldaps:///), and then use a
client's ldapsearch utility, I get the following error:ldap_bind: Can't
contact LDAP server.  ldap.conf is configured to look at the correct port
on the server, and I have verified that by using ldapsearch -d 65535.
Using nmap I have also verified that ldapssl is running on port 636 on my
ldap server.

I did a full debug on the ldap server, when trying to use ldapsearch from
the client, and here is the useful output:

connection_get(9)
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  30 0c 02 01 01 60 07 02  01 03 04                  0....`.....
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:565
connection_read(9): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=9 for close
connection_close: conn=0 sd=9
daemon: removing 9
conn=-1 fd=9 closed
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL

Here is the output from the client ldapsearch:

ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 134.129.212.33:636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_delayed_open successful, ld_host is (null)
ldap_send_server_request
ber_flush: 14 bytes to sd 4
  0000:  30 0c 02 01 01 60 07 02  01 03 04 00 80 00         0....`........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 60 07 02  01 03 04 00 80 00         0....`........
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: treefrog.aero.und.edu  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jul 25 12:24:26 2001

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=1, got=0

ber_get_next failed.
ldap_perror
ldap_bind: Can't contact LDAP server

Now, my biggest question is why the server is giving me this error when
setting up the ssl session:
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:565

On all of my machines, I am using openssl0.9.6b, the latest netscape sdk,
and openldap 2.0.11.

Has anyone encountered this problem before and can help me out here?
I would really appreciate it.

Andy