[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS server side auth problem



I still haven't made any progress on this.  No one
replied to my post below, is this because:

- no one knows
- my post is not appropriate in some way
- I'm a berk for not spotting something obvious :)

I can't move forward with our LDAP rollout until this
is resolved - does any one have any suggestions?

Pete.

--- peter pan <lanwanhr@yahoo.com> wrote:
> I'm planning to use our replicated LDAP directory
> for
> user authentication purposes soon.  Because of this
> I
> want to ensure all slurpd's communication with the
> slave LDAP servers are encrypted.
> 
> I'm having a problem with getting TLS communications
> working.  I have followed the instrcutions using
>
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
> but cannot get ldapsearch -ZZ to work without a
> client
> certificate (which I don't want to use).
> 
> If I put the serverkey and servercert in the .ldaprc
> file (I know this is for the client certs but as a
> test..) then ldapsearch -ZZ -x -h <FQDN> works.  If
> I
> take them out of .ldaprc it fails:
> 
> [root@test root]# ldapsearch -ZZ -x -H
> ldap://test.mydomain.com
> ldap_start_tls: Connect error
>         additional info: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> failure
> 
> slapd shows:
> 
> TLS trace: SSL3 alert write:fatal:handshake failure
> TLS trace: SSL_accept:error in SSLv3 read client
> hello
> B
> TLS trace: SSL_accept:error in SSLv3 read client
> hello
> B
> TLS: can't accept.
> TLS: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> s3_srvr.c:772
> connection_read(16): TLS accept error error=-1 id=8,
> closing
> 
> 
> 
> 
> The openssh client_s test also fails:
> 
> [root@test root]# openssl s_client -connect
> 192.168.0.1:ldap -showcerts -state -CAfile
> /etc/openldap/cacert.pem       
> 
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> 9521:error:140790E5:SSL routines:SSL23_WRITE:ssl
> handshake failure:s23_lib.c:226:
> 
> Maybe because I'm connecting to the normal ldap port
> (not sure if the openssh is valid for ldap port
> maybe
> only TLS with start_tls?)
> 
> If I repeat the openssh s_client test on ldaps:
> 
> [root@test root]# openssl s_client -connect
> 192.168.0.1:ldaps -showcerts -state -CAfile
> /etc/openldap/cacert.pem
> 
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL3 alert read:fatal:handshake failure
> SSL_connect:error in SSLv2/v3 read server hello A
> 9758:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> failure:s23_clnt.c:455:
> 
> Slightly different. Using the FQDN instead of IP
> makes
> no difference.
> 
> If I put the certs in .ldaprc the openssh test works
> with IP:ldaps but not IP:ldap (I assume this is
> normal).
> 
> I'm using openldap 2.0.27 on RedHat 7.2 (using the
> 2.0.27-2.7.3 rpm).
> 
> Don't understand why specifying a client cert (the
> same as the server's as this is all the same box)
> works.  Theres no TLSVerifyClient in my slapd.conf
> or
> anything).
> 
> Any help appreciated.
> 
> Pete
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site
> design software
> http://sitebuilder.yahoo.com


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com