[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problems using TLS
Hello everybody!
I am working on converting my companies authentication system over to
openldap.
I have my ldap database up and running, and am able to use the migration
tools to port over all of our users. Also, I am able to authenticate to
this database via the linux workstations/servers (RH7.1) and on our
solaris 8 servers using unencrypted connection (ldap://port 389).
However, being our company has over 5,000 users, keeping security in mind
I would like to get ssl/tls working in openldap. I can compile openldap
with tls support (./configure --with-tls) and have no problems. However,
when I set up slapd to run ldaps (slapd -h ldaps:///), and then use a
client's ldapsearch utility, I get the following error:ldap_bind: Can't
contact LDAP server. ldap.conf is configured to look at the correct port
on the server, and I have verified that by using ldapsearch -d 65535.
Using nmap I have also verified that ldapssl is running on port 636 on my
ldap server.
I did a full debug on the ldap server, when trying to use ldapsearch from
the client, and here is the useful output:
connection_get(9)
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 30 0c 02 01 01 60 07 02 01 03 04 0....`.....
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:565
connection_read(9): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=9 for close
connection_close: conn=0 sd=9
daemon: removing 9
conn=-1 fd=9 closed
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
Here is the output from the client ldapsearch:
ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 134.129.212.33:636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_delayed_open successful, ld_host is (null)
ldap_send_server_request
ber_flush: 14 bytes to sd 4
0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: treefrog.aero.und.edu port: 636 (default)
refcnt: 2 status: Connected
last used: Wed Jul 25 12:24:26 2001
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=1, got=0
ber_get_next failed.
ldap_perror
ldap_bind: Can't contact LDAP server
Now, my biggest question is why the server is giving me this error when
setting up the ssl session:
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:565
On all of my machines, I am using openssl0.9.6b, the latest netscape sdk,
and openldap 2.0.11.
Has anyone encountered this problem before and can help me out here?
I would really appreciate it.
Andy