[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: Microsoft Outlook and OpenLDAP (over SSL)

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: Microsoft Outlook and OpenLDAP (over SSL)
From: Amith Varghese <amithv@yahoo.com>
Date: 13 Apr 2002 21:51:00 -0400
In-reply-to: <1018738098.9979.26.camel@viper>
References: <1018730227.9979.18.camel@viper> <1018738098.9979.26.camel@viper>
Sorry to keep replying to my messages, but I figure the more info the
better chance i get some help :)  Anyway I can run

ldapsearch -v -H ldaps://<myFQDN>/ -x

and I get back all the results I should be getting.  I can also run 

openssl s_client -host <myFQDN> -port 636

CONNECTED(00000003)
depth=0 /C=US/ST=<mystate>/L=<mycity>/O=<myorg>/CN=<myFQDN>
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=<mystate>/L=<mycity>/O=<myorg>/CN=<myFQDN>
verify return:1
---
Certificate chain
 0 s:/C=US/ST=<mystate>/L=<mycity>/O=<myorg>/CN=<myFQDN>
   i:/C=US/ST=<mystate>/L=<mycity>/O=<myorg>/CN=<myFQDN>
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICdTCCAd6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB1MQswCQYDVQQGEwJVUzER
MA8GA1UECBMIVmlyZ2luaWExFDASBgNVBAcTC0dyZWF0IEZhbGxzMR0wGwYDVQQK
ExRBc2NlbGxhIFRlY2hub2xvZ2llczEeMBwGA1UEAxMVdmlwZXIuYXNjZWxsYXRl
Y2guY29tMB4XDTAyMDEwODE3MTMwOFoXDTAzMDEwODE3MTMwOFowdTELMAkGA1UE
BhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRQwEgYDVQQHEwtHcmVhdCBGYWxsczEd
MBsGA1UEChMUQXNjZWxsYSBUZWNobm9sb2dpZXMxHjAcBgNVBAMTFXZpcGVyLmFz
Y2VsbGF0ZWNoLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAte3ul7yJ
y1afz81NQkf4h/lH/zZZUgaelINlsv2vJ338J31d0tC51vYU22KEnkvGE3hgPwfR
VamjABFOkcqDuVsCsEQF/iVuM2JsKXsJVmyptvZeylWmE6wmPuEHSrFz2TL9JZ0O
QhZx7dkuXaQGBEUGREexIp5kVMvMfL/XGfUCAwEAAaMVMBMwEQYJYIZIAYb4QgEB
BAQDAgZAMA0GCSqGSIb3DQEBBAUAA4GBAEQ9z2vd3BcIbTESqRzB3sAAHmO/ptSy
/93Elk6QSISrN9aEFNT/q3Fq7g0k6zLQKZt+L1+YodI0B9UknPz+PBWOv318tOn/
ohNS0qkfVN3uGPW+KC5H4jY93sPKTVeZH/j4d7MYu8sregcN79u1aF0Z5OubiibF
vqw7WTDwd1PG
-----END CERTIFICATE-----
subject=/C=US/ST=<mystate>/L=<mycity>/O=<myorg>/CN=<myFQDN>
issuer=/C=US/ST=<mystate>/L=<mycity>/O=<myorg>/CN=<myFQDN>
---
No client certificate CA names sent
---
SSL handshake has read 787 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID:
87206E09CC418CA85D24021673176ECB1995F8D363EEA4C2EAD00133A78D311D   
Session-ID-ctx: 
    Master-Key:
F66C154C9D603EDAC1B74C6BA75930DF7BA9F0332924611435A13D109E41F1984648AE550ABBA827815C91BDB03E8862
    Key-Arg   : None
    Start Time: 1018748545
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

So now I'm believing that maybe outlook/outlook express can't connect to
ldaps port correctly.  I've also tried using stunnel, but that fails
with stunnel: SSL_accept: Peer suddenly disconnected.  Does anyone know
how I can test connectivity to my address book over ldaps (I think I can
do it in Mozilla but I'm not sure where)?.  Has anyone got Outlook /
Outlook Express to connect over ldaps to OpenLDAP?

Thanks
Amith Varghese

On Sat, 2002-04-13 at 18:48, Amith Varghese wrote:
> I realized that I made a dumb mistake and forgot to put the locations of
> the TLS cert files in slapd.conf, so I added
> 
> # TLS Config
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /usr/local/etc/openldap/certs/ldapcert.pem
> TLSCertificateKeyFile /usr/local/etc/openldap/certs/ldapkey.pem
> TLSCACertificateFile /usr/local/etc/openldap/certs/demoCA/cacert.pem
> TLSVerifyClient 0
> 
> However, now I'm getting the following errors.  Anyone have any
> suggestions?
> 
> Thanks
> Amith Varghese
> 
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> tls_write: want=87, written=87
>   0000:  52 cd 2d d6 69 52 1b 04  33 08 41 a3 ee 76 d4 77  
> R.-.iR..3.A..v.w  
>   0010:  33 70 a0 34 1d 25 3c da  80 90 e5 b4 94 dd 95 57  
> 3p.4.%<........W  
>   0020:  1a d9 a0 82 3e 0c 8e 83  f2 99 13 2d 3c fb 05 a6  
> ....>......-<...  
>   0030:  4d 64 58 60 6a 3c 9b 91  9c 4d 12 a0 7f b4 83 87  
> MdX`j<...M......  
>   0040:  ed 43 30 5d 57 c0 80 60  a1 1f e4 47 6f 3e 16 03  
> .C0]W..`...Go>..  
>   0050:  01 00 04 0e 00 00 00                              
> .......           
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5 error=Resource temporarily unavailable
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 10r
> daemon: read activity on 10
> connection_get(10)
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> tls_read: want=5, got=0
> 
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> connection_read(10): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=10 for close
> connection_close: conn=0 sd=10
> daemon: removing 10
> conn=-1 fd=10 closed
> 
> 
> On Sat, 2002-04-13 at 16:37, Amith Varghese wrote:
> > I am trying to connect to my address book ($OpenLDAP: slapd
> > 2.0.23-Release) with Microsoft Outlook.  If I connect on 389 everything
> > works fine.  If I try to connect with SSL enabled (port 636) the
> > connection fails.  I start OpenLDAP up using
> > 
> > /usr/local/libexec/slapd -h "ldap:/// ldaps:///"
> > 
> > The following is information from turning debugging on.  If anyone could
> > let me know why the SSL handshake is failing I would appreciate it.
> > 
> > Thanks
> > Amith Varghese
> > 
> > ______________________________________________________________________
> > 
> > connection_get(10): got connid=3
> > connection_read(10): checking for input on id=3
> > TLS trace: SSL_accept:before/accept initialization
> > tls_read: want=11, got=11
> >   0000:  80 6a 01 03 01 00 51 00  00 00 10                 
> > .j....Q....       
> > tls_read: want=97, got=97
> >   0000:  8f 80 01 80 00 03 80 00  01 81 00 01 81 00 03 82  
> > ................  
> >   0010:  00 01 00 00 04 00 00 05  00 00 0a 83 00 04 84 80  
> > ................  
> >   0020:  40 01 00 80 07 00 c0 03  00 80 00 00 09 06 00 40  
> > @..............@  
> >   0030:  00 00 64 00 00 62 00 00  03 00 00 06 83 00 04 84  
> > ..d..b..........  
> >   0040:  28 40 02 00 80 04 00 80  00 00 13 00 00 12 00 00  
> > (@..............  
> >   0050:  63 61 c8 dc af 5c 2f cb  b7 d9 01 53 34 16 4a 4d  
> > ca...\/....S4.JM  
> >   0060:  d0                                                
> > .                 
> > tls_write: want=7, written=7
> >   0000:  15 03 01 00 02 02 28                              
> > ......(           
> > TLS trace: SSL3 alert write:fatal:handshake failure
> > TLS trace: SSL_accept:error in SSLv3 read client hello B
> > TLS trace: SSL_accept:error in SSLv3 read client hello B
> > TLS: can't accept.
> > TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> > s3_srvr.c:769
> > connection_read(10): TLS accept error error=-1 id=3, closing
> > connection_closing: readying conn=3 sd=10 for close
> > 
> > 
> 



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
References:
- Microsoft Outlook and OpenLDAP (over SSL)
  - From: Amith Varghese <amithv@yahoo.com>
- Re: Microsoft Outlook and OpenLDAP (over SSL)
  - From: Amith Varghese <amithv@yahoo.com>
Prev by Date: Re: Microsoft Outlook and OpenLDAP (over SSL)
Next by Date: Re: limiting the number of running slapd's
Index(es):
- Chronological
- Thread