[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS server side auth problem
I'm planning to use our replicated LDAP directory for
user authentication purposes soon. Because of this I
want to ensure all slurpd's communication with the
slave LDAP servers are encrypted.
I'm having a problem with getting TLS communications
working. I have followed the instrcutions using
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
but cannot get ldapsearch -ZZ to work without a client
certificate (which I don't want to use).
If I put the serverkey and servercert in the .ldaprc
file (I know this is for the client certs but as a
test..) then ldapsearch -ZZ -x -h <FQDN> works. If I
take them out of .ldaprc it fails:
[root@test root]# ldapsearch -ZZ -x -H
ldap://test.mydomain.com
ldap_start_tls: Connect error
additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure
slapd shows:
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello
B
TLS trace: SSL_accept:error in SSLv3 read client hello
B
TLS: can't accept.
TLS: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:772
connection_read(16): TLS accept error error=-1 id=8,
closing
The openssh client_s test also fails:
[root@test root]# openssl s_client -connect
192.168.0.1:ldap -showcerts -state -CAfile
/etc/openldap/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
9521:error:140790E5:SSL routines:SSL23_WRITE:ssl
handshake failure:s23_lib.c:226:
Maybe because I'm connecting to the normal ldap port
(not sure if the openssh is valid for ldap port maybe
only TLS with start_tls?)
If I repeat the openssh s_client test on ldaps:
[root@test root]# openssl s_client -connect
192.168.0.1:ldaps -showcerts -state -CAfile
/etc/openldap/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
9758:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:455:
Slightly different. Using the FQDN instead of IP makes
no difference.
If I put the certs in .ldaprc the openssh test works
with IP:ldaps but not IP:ldap (I assume this is
normal).
I'm using openldap 2.0.27 on RedHat 7.2 (using the
2.0.27-2.7.3 rpm).
Don't understand why specifying a client cert (the
same as the server's as this is all the same box)
works. Theres no TLSVerifyClient in my slapd.conf or
anything).
Any help appreciated.
Pete
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com